Login Start Free Trial Login Start Free Trial
 

HawkScan Test Info for GraphQL Introspection Endpoint Enabled

HawkScan Test Info for GraphQL Introspection Endpoint Enabled

GraphQL Introspection Endpoint Enabled

Reference

Plugin Id: 90050 | CWE: 200

Resource

Remediation

To remediate GraphQL introspection exposure vulnerabilities, implement the following security measures:

  1. Disable introspection in production: Configure your GraphQL server to disable introspection queries in production environments. Most GraphQL implementations provide environment-specific configuration options.

    Example (Apollo Server):

    const server = new ApolloServer({
  typeDefs,
  resolvers,
  introspection: process.env.NODE_ENV !== 'production',
  playground: process.env.NODE_ENV !== 'production'
});

    Example (GraphQL Java):

    GraphQL graphQL = GraphQL.newGraphQL(schema)
    .fieldVisibility(NoIntrospectionGraphqlFieldVisibility.NO_INTROSPECTION_FIELD_VISIBILITY)
    .build();

  2. Implement access controls: If introspection is required for development tools, implement proper authentication and authorization controls to restrict access to authorized users only.

    Example (Express GraphQL with authentication):

    app.use('/graphql', graphqlHTTP({
  schema: schema,
  introspection: req.user && req.user.role === 'developer',
  graphiql: req.user && req.user.role === 'developer'
}));

  3. Use query whitelisting: Consider implementing query whitelisting (also known as persisted queries) to only allow pre-approved queries in production environments.

About

GraphQL introspection is a powerful feature that allows clients to discover the structure of a GraphQL schema. While useful for development and tooling, introspection can expose sensitive information about the API structure, available operations, and internal field names when enabled in production environments. This vulnerability occurs when GraphQL servers respond to introspection queries with complete schema information, potentially revealing sensitive data models, internal operations, or business logic structures that attackers can leverage for further attacks.

Risks

The risks associated with exposed GraphQL introspection include:

  • Schema enumeration: Attackers can discover all available queries, mutations, subscriptions, types, and fields in the GraphQL schema, providing a complete map of the API surface area.
  • Sensitive field discovery: Internal or sensitive field names may be exposed, revealing business logic, data models, or administrative functionality.
  • Attack surface expansion: Knowledge of the complete schema structure enables attackers to craft more targeted and sophisticated attacks against specific operations or data types.
  • Information disclosure: Field descriptions, deprecation reasons, and other metadata may contain sensitive information about the application’s functionality or implementation details.