If your GraphQL testing ends with introspection queries and basic ID swapping, you’re missing out on a lot of impactful bugs. GraphQL APIs can open doors to vulnerabilities ranging from SQL injections and CSRF attacks to subtle caching issues, tricky race conditions, and WebSocket-based bypasses. In this case study, I’ve analyzed disclosed vulnerability reports to see what happens in real life and identify what we all must have in our testing methodologies.