StackHawk Documentation StackHawk Logo HawkDocs
vulnerabilities
90051

No results found

Try different keywords or check your spelling

Search documentation

Find guides, API references, and more

esc
Back to Index

GraphQL Endpoint Detected

Reference
Plugin ID: 90051 CWE: 200 WASC: 13 Low Passive Information Leakage
Resource

Remediation

To secure GraphQL endpoints and reduce information disclosure risks, implement the following security measures:

  1. Implement proper authentication and authorization: Ensure all GraphQL endpoints have appropriate authentication mechanisms and field-level authorization controls.

    Example (GraphQL with JWT authentication):

    const resolvers = {
  Query: {
    sensitiveData: (parent, args, context) => {
      if (!context.user) {
        throw new AuthenticationError('Authentication required');
      }
      return getSensitiveData(context.user);
    }
  }
};

  2. Configure security middleware: Use GraphQL security middleware to implement query depth limiting, complexity analysis, and rate limiting.

    Example (GraphQL Depth Limit):

    const depthLimit = require('graphql-depth-limit');

const server = new ApolloServer({
  typeDefs,
  resolvers,
  validationRules: [depthLimit(5)]
});

  3. Disable introspection in production: Ensure introspection queries are disabled in production environments to prevent schema disclosure.

  4. Implement query whitelisting: Use persisted queries or query whitelisting to control which operations are allowed in production.

About

This detection identifies GraphQL endpoints by analyzing HTTP requests and responses for GraphQL-specific patterns, server signatures, and endpoint paths. GraphQL endpoints can expose significant functionality through a single URL, making proper security configuration critical. The fingerprinting process examines request/response patterns, content types, server headers, and GraphQL-specific syntax to identify the presence and characteristics of GraphQL implementations.

Risks

The risks associated with improperly secured GraphQL endpoints include:

  • Information disclosure: GraphQL endpoints may expose more data than intended through overfetching or lack of field-level authorization.
  • Denial of service: Complex queries, deep nesting, or batch operations can cause resource exhaustion if not properly limited.
  • Authentication bypass: Poorly configured GraphQL endpoints may allow unauthorized access to sensitive operations or data.
  • Injection attacks: GraphQL queries that incorporate user input without proper validation may be vulnerable to injection attacks.

Your privacy settings

We use first and third party cookies to ensure that we give you the best experience on our website and in our products.

Privacy Policy