Decoding GraphQL: How to Map Hidden Attack Surfaces
Antoine Carossio, Tristan Kalos
BSidesSF 2025 — Here Be Dragons · Day 1 · Main
Tristan Kalos and Antoine Carossio, co-founders of the API security company Escape, scanned the top one million domains on the internet, discovered nearly 200,000 exposed GraphQL APIs, and found an average of 90 security issues per service — three times their 2023 findings. The root of the problem: GraphQL's graph-based architecture, federation model, and feature-rich query language create attack surfaces that standard REST-focused security programs consistently miss. ---
AI review
Real data at scale — 200,000 GraphQL APIs fingerprinted from the Tranco top million, 90 security issues per service on average, a CVE filed against Juniper, and a practical open-source tool dropped at the end. The recursive fragment DoS and schema reconstruction via field suggestion are the kinds of specifics that make a talk worth attending. Founders of the API security company that built the scanner need to be watched for vendor pitch drift, but they mostly kept the technical content front and center.