Skip to main content

GraphQL, gRPC, WebSocket

API security checks for non-REST protocols. All three run as part of the default vulkro scan pipeline; no flag needed.

GraphQL

22 checks across schema, resolvers, and queries.

Schema and introspection:

  • Introspection enabled in production
  • __schema / __type queries reachable without auth
  • Schema-level deprecations without replacement contracts

Query shape attacks:

  • Missing depth limits (default ceiling: 7)
  • Missing complexity / cost analysis
  • Alias amplification (alias1: user(id:1) alias2: user(id:1) ...)
  • Fragment cycle bombs
  • Batched query DoS (large [Query, Query, Query, ...] bodies)
  • Field-level pagination caps absent

Authorization:

  • Field-level auth missing on sensitive fields (default to "deny unless documented")
  • Resolver-level auth uses request context inconsistently
  • IDOR shape on id-keyed root fields (cross-checked against the REST IDOR detector)

Operational:

  • csrf-prevention disabled on Apollo Server
  • playground enabled in production
  • Subscription auth on the WebSocket upgrade frame

Rule prefix: GRAPHQL-*. Run vulkro explain GRAPHQL-001 for any specific rule.

gRPC

15 checks across .proto definitions and the runtime server config.

  • Reflection service enabled in production (grpc.reflection.v1alpha)
  • TLS not enforced on the listener
  • Missing per-method auth interceptor
  • MaxRecvMsgSize unbounded (DoS via giant frames)
  • MaxConcurrentStreams unbounded
  • Deprecated insecure ciphers in the TLS config
  • Server-side streaming without per-call timeout
  • serverTimeNanos leaked in trailers (timing oracle)
  • Plaintext credentials in metadata headers
  • Proto fields marked bytes with no length cap
  • Missing health-check service (DoS-by-LB-flap)
  • KeepaliveEnforcementPolicy permits abusive pings
  • Service registered without recovery interceptor (panic-DoS)
  • Missing rate-limit interceptor
  • Plaintext channel constructors used in production code paths

Rule prefix: GRPC-*.

WebSocket

10 checks across the upgrade handshake and message handlers.

  • Origin not validated on the upgrade request
  • Subprotocol negotiation accepts anything the client offers
  • Missing authentication on the upgrade frame (cookie-based auth that the browser sent only for the HTTP layer)
  • Per-connection backpressure missing (writes that never throttle)
  • Frame size unbounded
  • Sec-WebSocket-Key not validated server-side
  • Per-message-deflate enabled without limits (CRIME-style amplification)
  • Broadcast handlers that fan a single client's payload to every connection without auth scoping
  • Auth state on the socket trusted after a reconnect without re-auth
  • Plaintext (ws://) listener exposed on a non-localhost interface

Rule prefix: WS-*.

Why these are in the default scan

Cross-protocol coverage means the OWASP API Top 10 model holds: BOLA and BFLA show up in GraphQL field resolvers and gRPC method implementations exactly the way they do in REST handlers. Vulkro's taint engine follows tainted input across all three protocols without configuration.

Languages

Same coverage as the rest of the engine: Python, JavaScript, TypeScript, Go on Free; Ruby, Java/Kotlin, C#, PHP, Salesforce Apex on Pro.

Last updated on