GraphQL Schemas can be very large and testing them can be a very time-consuming, manual process. Currently, there is a lack of tools that allow developers to launch and automate attacks on GraphQL. This project hopes to fill this gap by adding the appropriate functionality to ZAP. The ultimate goal is to help developers make their applications more secure.

This project aims to add GraphQL support to ZAP. Upon the completion of this project, ZAP will be able to understand GraphQL schemas and send queries. The user will be able to make use of existing functionalities in ZAP such as Request Editor, Fuzzer etc. to attack GraphQL endpoints. The existing Active Scan Rules will be updated to test for GraphQL weaknesses.



Akshath Kothari


  • Rick M
  • Ricardo Pereira
  • Simon Bennetts