원클릭으로
sc-graphql
GraphQL injection, introspection abuse, query complexity attacks, and authorization bypass detection
Codex 또는 Claude로 설치 이 Prompt를 복사해 Codex, Claude 또는 다른 어시스턴트에 붙여 넣으면 Skill 페이지를 검토하고 설치를 진행할 수 있습니다.
메뉴
GraphQL injection, introspection abuse, query complexity attacks, and authorization bypass detection
Codex 또는 Claude로 설치 이 Prompt를 복사해 Codex, Claude 또는 다른 어시스턴트에 붙여 넣으면 Skill 페이지를 검토하고 설치를 진행할 수 있습니다.
SOC 직업 분류 기준
Comprehensive AI-powered security scanning suite with 48 skills covering OWASP Top 10, 7 language-specific deep scanners (Go, TypeScript, Python, PHP, Rust, Java, C#), supply chain analysis, infrastructure-as-code scanning, and 3000+ checklist items. Use when you need to run a security audit, find vulnerabilities, scan a PR for security issues, or perform a penetration test on a codebase.
C#/.NET-specific security deep scan
Go-specific security deep scan
Java/Kotlin-specific security deep scan
PHP-specific security deep scan
Python-specific security deep scan
| name | sc-graphql |
| description | GraphQL injection, introspection abuse, query complexity attacks, and authorization bypass detection |
| license | MIT |
| metadata | {"author":"ersinkoc","category":"security","version":"1.0.0"} |
Detects GraphQL-specific security vulnerabilities including query injection, introspection information disclosure, batching abuse, nested query denial-of-service, field-level authorization bypass, and subscription hijacking. Covers Apollo Server, graphql-yoga, Strawberry, Graphene, gqlgen, and HotChocolate.
Called by sc-orchestrator during Phase 2 when GraphQL schema files, resolvers, or GraphQL dependencies are detected.
**/*.graphql, **/*.gql, **/schema.*, **/typeDefs.*, **/resolvers.*,
**/*resolver*, **/*schema*, **/*graphql*, **/mutations/*, **/queries/*,
**/subscriptions/*, **/directives/*
"typeDefs", "resolvers", "ApolloServer", "graphql-yoga", "makeExecutableSchema",
"buildSchema", "@Query", "@Mutation", "@Resolver", "GraphQLObjectType",
"introspection", "depthLimit", "costAnalysis", "complexityLimit",
"__schema", "__type", "subscription", "directive"
1. Introspection Enabled in Production
introspection: true, missing introspection config, NODE_ENV checks2. Query Depth/Complexity Limits Missing
graphql-depth-limit, depthLimit, @complexitygraphql-query-complexity, costAnalysis3. Batching Without Limits
allowBatchedHttpRequests, batch query handler, array query acceptance4. Field-Level Authorization
@auth, @hasRole, @authenticated5. SQL/NoSQL Injection in Resolvers
6. Information Disclosure via Error Messages
formatError, debug: true, stack trace exposure7. Subscription Authorization
# Attack: Deeply nested query (no depth limit)
query {
user(id: 1) {
posts {
author {
posts {
author {
posts { # ...repeating to depth 50+
title
}
}
}
}
}
}
}
// VULNERABLE: No depth or complexity limits
const server = new ApolloServer({
typeDefs,
resolvers,
});
// SAFE: With depth and complexity limits
import depthLimit from 'graphql-depth-limit';
import { createComplexityLimitRule } from 'graphql-validation-complexity';
const server = new ApolloServer({
typeDefs,
resolvers,
validationRules: [
depthLimit(10),
createComplexityLimitRule(1000),
],
introspection: process.env.NODE_ENV !== 'production',
});
// VULNERABLE: No auth check in resolver
const resolvers = {
Mutation: {
deleteUser: async (_, { id }, context) => {
return await User.findByIdAndDelete(id); // Anyone can delete any user
}
}
};
// SAFE: Auth check in resolver
const resolvers = {
Mutation: {
deleteUser: async (_, { id }, context) => {
if (!context.user || context.user.role !== 'admin') {
throw new ForbiddenError('Not authorized');
}
return await User.findByIdAndDelete(id);
}
}
};