Site icon API Security Blog

Be careful when you’re using a library that parses your GraphQL queries.

You might be vulnerable to attacks!

2. The Query vs. the Operation#

Why? In REST, we have two concepts: Resources and Operations on those resources (e.g GET /users). In GraphQL, we only have one concept: Queries or Operations . This means that in order to parse a URL, we need to know if it’s an operation or not before parsing it. If we don’t do this check correctly, there is no way for us to know what kind of query/operation was sent by the client and thus how to handle it properly (e.g
https://t.co/EUX9sCDoKR

Exit mobile version