Security Plugins Hub

Bring your software development workflows to security


GraphQL Injection

Business Coming soon

Signals & Triggers

On GraphQL datastore access
If user input alters GraphQL query structure


  • Block the HTTP request Block the HTTP request
  • Block the user Block the user
  • Log request stack trace Log request stack trace
  • Log the malicious request Log the malicious request
  • Report an incident Report an incident


  • Send an email to all team members Send an email to all team members
  • Send a Slack notification. Send a Slack notification.
  • POST to your Webhook. POST to your Webhook.
  • Send to New Relic Insights. Send to New Relic Insights.
  • Create an incident on PagerDuty (coming soon) Create an incident on PagerDuty (coming soon)


GraphQL was built to delegate query capabilities to the client. In most cases, the query comes directly from the front-end application. It is then parsed and analyzed by the back-end server, and eventually delegated to other systems (like a SQL or NoSQL server, another API, …).

These systems can, in turn, be vulnerable to injections and be exploitet from a GraphQL query.

Let’s assume the application lists blog posts. The GraphQL query to list posts with a particular author is:

    author: “Jb"

This could be translated by the GraphQL code to SQL:

SELECT * FROM posts WHERE author = 'Jb'

If the parameters included inside the SQL query are not escaped, then the SQL query could be injected in something similar to:

    author: “Jb’ UNION SELECT * FROM users -- "

Resulting in the following SQL query being sent to the server:

SELECT * FROM posts WHERE author = 'Jb' UNION SELECT * FROM users -- '

Advanced details

When the application starts, the Sqreen library hooks the GraphQL library methods in order to catch queries originated from an unstrusted source.

Next, on every other plugin, Sqreen will ensure the GraphQL data is not involved in an attack.

No traffic redirection is performed. The analysis of the query happens inside the application, relying on Sqreen’s dynamic instrumentation of the GraphQL driver.

By being in-app and running just before the query is sent to the underlying server - the very last step happening in your application - we can guarantee a 100% non false positive detection and protection for injections originated from GraphQL.

Language support

  • Ruby
  • Node.js
  • PHP
  • Python
  • Java

Data collected by Sqreen


No data collected

On attack
  • GraphQL queries (striped from sensitive data)
  • Request payload
  • Attacker IP
  • Attacker account (Sqreen SDK)

Built for developers and modern apps

Get up and running in minutes just by installing our lightweight library. Enable plugins in just a couple of clicks.

  • Ruby
  • Node.js
  • PHP
  • Python
  • Java
  • Go
  • .net
  • 1
  • 2
  • 3
  • 4
  • 5
  • 6
  • 7
  • 8
  • 9

$ echo "gem 'sqreen'" >> Gemfile

$ bundle install

$ echo "token: your token" > config/sqreen.yml

$ npm install --save sqreen

$ echo '{ "token": "your token" }' > sqreen.json

$ curl -s > && bash your token

$ pip install sqreen

$ echo -e "[sqreen]\ntoken: your token" > sqreen.ini

$ curl -o sqreen.jar

Request your beta access for the Go agent Request beta
Get notified when the .net agent releases Notify me

Build amazing products. Keep them safe.

5 min installation · Try all features for 14 days · No credit card required Sign up Request demo