Kuantifikasi Risiko Introspection pada Tiga Kategori Otorisasi OWASP: Studi Komparatif REST API dan GraphQL
Abstract
The advancement of Application Programming Interfaces (APIs) demands measurable architectural-level security evaluation. This study quantifies the security risks of REST API and GraphQL based on three authorization categories from the OWASP API Security Top 10 2023 (API1, API3, and API5). The exclusive limitation to these three categories was established to focus purely on access control logic flaws rather than infrastructure-level vulnerabilities. The experiment utilizes TixVuln, a parallel-architecture testbed instrument explicitly designed to eliminate external database bias a comparative advantage not present in standard single-architecture vulnerable applications. Authorization evaluation was executed contextually to avoid the high false-negative rates typically produced by automated security scanning tools (SAST/DAST) in business logic testing. Quantification results using the OWASP Risk Rating Methodology reveal a novelty that GraphQL experiences a risk category escalation from Medium to Critical levels in API3 and API5 compared to REST API. This significant leap in the Ease of Discovery metric is absolutely triggered by the operational schema exposure through the introspection feature. Mitigation testing validates that implementing field whitelisting and resolver-level Role-Based Access Control is imperative to suppress inherent risks in single-endpoint architectures. The main contribution of this research is the provision of an isolated empirical evaluation framework that quantitatively proves the flexibility of GraphQL architecture is directly proportional to the increased fatality of authorization risks if the schema discovery feature is not strictly configured.
Downloads
References
F. X. Senduk, X. B. N. Najoan, and S. R. U. A. Sompie, “Pengembangan Arsitektur Microservices dengan RESTful API Gateway menggunakan Backend-for-frontend Pattern pada Portal Akademik Perguruan Tinggi,” J. Tek. Inform., vol. 18, no. 1, pp. 315–324, Mar. 2023, doi: 10.35793/jti.v18i1.50402.
Mohammed Mudassir and Mohammed Mushtaq, “The role of APIs in modern software development,” World J. Adv. Eng. Technol. Sci., vol. 13, no. 1, pp. 1045–1047, Oct. 2024, doi: 10.30574/wjaets.2024.13.1.0515.
S. Kanthed, “Rest vs. GraphQL: Comparative Analysis of API Design Approaches,” Int. J. Multidiscip. Res. Growth Eval., vol. 4, no. 1, pp. 984–991, 2023, doi: 10.54660/.IJMRGE.2023.4.1.984-991.
N. Vohra and I. B. Kerthyayana Manuaba, “Implementation of REST API vs GraphQL in Microservice Architecture,” in 2022 International Conference on Information Management and Technology (ICIMTech), IEEE, Aug. 2022, pp. 45–50. doi: 10.1109/ICIMTech55957.2022.9915098.
A. Prasetyo and D. Kriestanto, “Analisis Perbandingan GraphQL dan REST API pada Aplikasi Menu Restoran dengan Node.js,” JIKO (Jurnal Inform. dan Komputer), vol. 9, no. 2, p. 274, Jun. 2025, doi: 10.26798/jiko.v9i2.1521.
Nagaraju Thallapally, “Enhancing Data Query Flexibility with GraphQL: Implementation and Best Practices,” J. Comput. Sci. Technol. Stud., vol. 6, no. 2, pp. 176–182, Jun. 2024, doi: 10.32996/jcsts.2024.6.2.20.
M. S. Baihan, “Role-based Access Control Solution for GraphQL-based Fast Healthcare Interoperability Resources Health Application Programming Interface,” in 2022 IEEE International Conference on E-health Networking, Application & Services (HealthCom), IEEE, Oct. 2022, pp. 1–6. doi: 10.1109/HealthCom54947.2022.9982782.
M. Muntahanah, Y. Darmi, and K. Pinandita, “Implementasi Perbandingan Metode Graphql Dan Rest Api Pada Teknologi Nodejs,” INTECOMS J. Inf. Technol. Comput. Sci., vol. 7, no. 1, pp. 25–34, Jan. 2024, doi: 10.31539/intecoms.v7i1.8656.
C. Zhao, “API Common Security Threats and Security Protection Strategies,” Front. Comput. Intell. Syst., vol. 10, no. 2, pp. 29–33, Nov. 2024, doi: 10.54097/k5djs164.
D. Kamble, “Exploring the Threat Landscape of API Attacks,” Int. J. Sci. Res. Eng. Manag., vol. 09, no. 06, pp. 1–9, Jun. 2025, doi: 10.55041/IJSREM50004.
Ishva Jitendrakumar Kanani, “Securing APIs in the modern threat landscape: Best practices and challenges,” World J. Adv. Res. Rev., vol. 13, no. 3, pp. 654–657, Mar. 2022, doi: 10.30574/wjarr.2022.13.3.0239.
Y. Ishida, M. Hanada, A. Waseda, and M. W. Kim, “Automated Vulnerability Assessment Approach for Web API that Considers Requests and Responses,” in 2024 26th International Conference on Advanced Communications Technology (ICACT), IEEE, Feb. 2024, pp. 1521–1533. doi: 10.23919/ICACT60172.2024.10471939.
Suresh Vethachalam, “How hackers exploit poorly built APIs – A developer’s guide to API Hardening,” World J. Adv. Eng. Technol. Sci., vol. 10, no. 2, pp. 426–440, Dec. 2023, doi: 10.30574/wjaets.2023.10.2.0290.
R. Napisa, A. Widjajarto, and U. Y. K. S. Hediyanto, “Desain Attack Tree Berdasar Metrik Time Pada Eksploitasi GraphQL Dengan Information Disclosure Vulnerability,” J. Teknol. Dan Sist. Inf. Bisnis, vol. 7, no. 2, pp. 310–319, Apr. 2025, doi: 10.47233/jteksis.v7i2.1627.
A. Santos Filho, R. J. Rodríguez, and E. L. Feitosa, “Automated broken object-level authorization attack detection in REST APIs through OpenAPI to colored petri nets transformation,” Int. J. Inf. Secur., vol. 24, no. 2, p. 83, Apr. 2025, doi: 10.1007/s10207-024-00970-5.
A. Mazidi, D. Corradini, and M. Ghafari, “Mining REST APIs for Potential Mass Assignment Vulnerabilities,” in Proceedings of the 28th International Conference on Evaluation and Assessment in Software Engineering, New York, NY, USA: ACM, Jun. 2024, pp. 369–374. doi: 10.1145/3661167.3661204.
I. G. A. E. Pratama, I. P. Satwika, and I. N. Y. Anggara Wijaya, “Analisis Perbandingan Performa API Metode REST dan GraphQL dengan PHP dan Go,” J. Teknol. Inf. dan Komput., vol. 8, no. 4, Oct. 2022, doi: 10.36002/jutik.v8i4.2088.
K. Sadaf, S. Khan, D. Chourasia, N. Rai, and M. Jamal, “Comparison of Rest vs Graphql: Performance, Authentication and Scalability,” in Proceedings of the 1st International Conference on Research and Development in Information, Communication, and Computing Technologies, SCITEPRESS - Science and Technology Publications, 2025, pp. 369–377. doi: 10.5220/0013930100004919.
Diash Firdaus, I. Sumardi, and G. Nugraha, “Peningkatan Keamanan Server GraphQL Terhadap Serangan DDOS Dengan Tipe Batch Attack Menggunakan Metode Rate Limiting,” Cyber Secur. dan Forensik Digit., vol. 7, no. 2, pp. 62–68, Dec. 2024, doi: 10.14421/csecurity.2024.7.2.4718.
M. Idris, I. Syarif, and I. Winarno, “Development of Vulnerable Web Application Based on OWASP API Security Risks,” in 2021 International Electronics Symposium (IES), IEEE, Sep. 2021, pp. 190–194. doi: 10.1109/IES53407.2021.9593934.
P. Bhosale, “Implementing Secure and Scalable APIs in Java Spring Boot: RESTful vs. GraphQL Services,” INTERANTIONAL J. Sci. Res. Eng. Manag., vol. 09, no. 01, pp. 1–7, Jan. 2025, doi: 10.55041/IJSREM11316.
Y. Shcheblanin, B. Sydorenko, and I. Mykhalchuk, “Security of REST API: Threats and Protection Methods,” Inf. Syst. Technol. Secur., no. 2 (8), pp. 60–65, 2024, doi: 10.17721/ISTS.2024.8.60-65.
M. Saifulhakim and A. Nurul Fajar, “Security Assessment for Digital Wallet Payment Partner Applications using the OWASP Method: A Case Study in Indonesia,” J. Syst. Manag. Sci., vol. 14, no. 3, Feb. 2024, doi: 10.33168/JSMS.2024.0319.
M. Idris, I. Syarif, and I. Winarno, “Web Application Security Education Platform Based on OWASP API Security Project,” Emit. Int. J. Eng. Technol., pp. 246–261, Dec. 2022, doi: 10.24003/emitter.v10i2.705.
Bila bermanfaat silahkan share artikel ini
Berikan Komentar Anda terhadap artikel Kuantifikasi Risiko Introspection pada Tiga Kategori Otorisasi OWASP: Studi Komparatif REST API dan GraphQL
Copyright (c) 2026 Naufal Hanif Athallah, Galet Guntoro Setiaji, Ahmad Rifa’i

This work is licensed under a Creative Commons Attribution 4.0 International License.
Authors who publish with this journal agree to the following terms:
- Authors retain copyright and grant the journal right of first publication with the work simultaneously licensed under Creative Commons Attribution 4.0 International License that allows others to share the work with an acknowledgment of the work's authorship and initial publication in this journal.
- Authors are able to enter into separate, additional contractual arrangements for the non-exclusive distribution of the journal's published version of the work (e.g., post it to an institutional repository or publish it in a book), with an acknowledgment of its initial publication in this journal.
- Authors are permitted and encouraged to post their work online (e.g., in institutional repositories or on their website) prior to and during the submission process, as it can lead to productive exchanges, as well as earlier and greater citation of published work (Refer to The Effect of Open Access).






















