Documentation
Security Misconfiguration
GraphQL Introspection Enabled

GraphQL Introspection Enabled

Severity Low
CVEs
Classifications
OWASP Category OWASP API8:2023 Security Misconfiguration (opens in a new tab)

GraphQL introspection is a feature that allows clients to query the schema of the server. It can be used to discover the schema and types, but it can also be used by attackers to learn about the server's implementation details and find potential vulnerabilities.

What is the impact?

The potential security impacts of GraphQL introspection are significant and can include:

  • Information Disclosure: Attackers can use introspection to learn about the server's implementation details, such as the types, fields, and arguments, which can lead to information disclosure and potential security vulnerabilities.
  • Schema Enumeration: Introspection can be used to enumerate the schema and discover hidden or deprecated fields, which can be leveraged to craft targeted attacks or exploit vulnerabilities.
  • Security Misconfiguration: Improperly configured introspection can expose sensitive information or internal implementation details, leading to security misconfigurations and potential security risks.
  • Data Exposure: Introspection can reveal sensitive data structures, such as database tables, fields, or relationships, which can be exploited to access or manipulate data in unauthorized ways.

How to test?

If you want to test only the "GraphQL Introspection Enabled" vulnerability, you can use the following command:

vulnapi scan graphql --scans graphql.introspection_enabled [url]

How to remediate?

To remediate GraphQL introspection vulnerabilities, you can take the following steps:

  • Disable Introspection: Disable introspection in production environments to prevent attackers from querying the schema and discovering sensitive information or potential security vulnerabilities.
  • Limit Access: Restrict access to introspection queries to authorized users or applications, and ensure that only trusted entities can query the schema and access internal implementation details.

References