GraphQL's flexible query model and nested data dependencies expose APIs to complex, context-dependent vulnerabilities that are difficult to uncover using conventional testing tools. Existing fuzzers either rely on random payload generation or rigid mutation heuristics, failing to adapt to the dynamic structures of GraphQL schemas and responses. We present PrediQL, the first retrieval-augmented, LLM-guided fuzzer for GraphQL APIs. PrediQL combines large language model reasoning with adaptive feedback loops to generate semantically valid and diverse queries. It models the choice of fuzzing strategy as a multi-armed bandit problem, balancing exploration of new query structures with exploitation of past successes. To enhance efficiency, PrediQL retrieves and reuses execution traces, schema fragments, and prior errors, enabling self-correction and progressive learning across test iterations. Beyond input generation, PrediQL integrates a context-aware vulnerability detector that uses LLM reasoning to analyze responses, interpreting data values, error messages, and status codes to identify issues such as injection flaws, access-control bypasses, and information disclosure. Our evaluation across open-source and benchmark GraphQL APIs shows that PrediQL achieves significantly higher coverage and vulnerability discovery rates compared to state-of-the-art baselines. These results demonstrate that combining retrieval-augmented reasoning with adaptive fuzzing can transform API security testing from reactive enumeration to intelligent exploration.

翻译：GraphQL灵活的查询模型与嵌套数据依赖关系使得API暴露于复杂且上下文相关的漏洞之中，这些漏洞难以通过传统测试工具发现。现有模糊测试工具要么依赖随机负载生成，要么采用僵化的变异启发式方法，无法适应GraphQL模式与响应的动态结构。本文提出PrediQL——首个基于检索增强与大语言模型引导的GraphQL API模糊测试工具。PrediQL将大语言模型推理能力与自适应反馈循环相结合，生成语义有效且多样化的查询。该工具将模糊测试策略选择建模为多臂赌博机问题，在探索新查询结构与利用历史成功经验之间实现动态平衡。为提升效率，PrediQL通过检索复用执行轨迹、模式片段及历史错误信息，实现跨测试迭代的自我修正与渐进式学习。除输入生成外，PrediQL还集成了上下文感知漏洞检测器，利用大语言模型推理分析响应数据，通过解析数据值、错误消息和状态码来识别注入缺陷、访问控制绕过及信息泄露等问题。我们在开源及基准GraphQL API上的评估表明，相较于最先进的基线方法，PrediQL在代码覆盖率与漏洞发现率方面均取得显著提升。这些结果证明，将检索增强推理与自适应模糊测试相结合，能够将API安全测试从被动枚举转变为智能探索。