HawkScan Test Info for GraphQL Endpoint Detected

GraphQL Endpoint Detected

Reference

Plugin Id: 90051 | CWE: 200

Resource

https://cheatsheetseries.owasp.org/cheatsheets/GraphQL_Cheat_Sheet.html

Remediation

To secure GraphQL endpoints and reduce information disclosure risks, implement the following security measures:

Implement proper authentication and authorization: Ensure all GraphQL endpoints have appropriate authentication mechanisms and field-level authorization controls.

Example (GraphQL with JWT authentication):

const resolvers = {
  Query: {
    sensitiveData: (parent, args, context) => {
      if (!context.user) {
        throw new AuthenticationError('Authentication required');
      }
      return getSensitiveData(context.user);
    }
  }
};

Configure security middleware: Use GraphQL security middleware to implement query depth limiting, complexity analysis, and rate limiting.

Example (GraphQL Depth Limit):

const depthLimit = require('graphql-depth-limit');
   
const server = new ApolloServer({
  typeDefs,
  resolvers,
  validationRules: [depthLimit(5)]
});

Disable introspection in production: Ensure introspection queries are disabled in production environments to prevent schema disclosure.
Implement query whitelisting: Use persisted queries or query whitelisting to control which operations are allowed in production.

About

This detection identifies GraphQL endpoints by analyzing HTTP requests and responses for GraphQL-specific patterns, server signatures, and endpoint paths. GraphQL endpoints can expose significant functionality through a single URL, making proper security configuration critical. The fingerprinting process examines request/response patterns, content types, server headers, and GraphQL-specific syntax to identify the presence and characteristics of GraphQL implementations.

Risks

The risks associated with improperly secured GraphQL endpoints include:

Information disclosure: GraphQL endpoints may expose more data than intended through overfetching or lack of field-level authorization.
Denial of service: Complex queries, deep nesting, or batch operations can cause resource exhaustion if not properly limited.
Authentication bypass: Poorly configured GraphQL endpoints may allow unauthorized access to sensitive operations or data.
Injection attacks: GraphQL queries that incorporate user input without proper validation may be vulnerable to injection attacks.