Automated Testing of GraphQL APIs (ATG)
This project focuses on advancing automated security testing of GraphQL APIs through innovative research and tooling. We have developed and released two major research contributions that enhance GraphQL testing capabilities through different approaches.
Research Contributions Wendigo: Deep Reinforcement Learning for Denial-of-Service Query Discovery in GraphQL Wendigo is a black-box Deep Reinforcement Learning approach that discovers Denial-of-Service exploitable queries against GraphQL applications. Using only the GraphQL schema, Wendigo can discover queries capable of performing DoS attacks with just two requests per hour, as opposed to the high volume required by traditional attacks.
BenGQL: An Extensible Benchmarking Framework for Automated GraphQL Testing (ASE 2025) BenGQL is an extensible benchmarking framework containing 23 representative open-source GraphQL server applications. This framework enables rigorous evaluation of automated testing tools across different GraphQL engines and schema complexities.
Ongoing Research We are currently exploring advanced AI techniques, including Large Language Models, to further enhance GraphQL security testing capabilities. This research aims to develop more sophisticated and context-aware testing approaches.
Collaboration Interested in collaborating on GraphQL security research? We welcome partnerships with researchers and industry professionals working on API security, automated testing, and AI-driven security tools.
15 Sep 2025
