StackHawk Documentation StackHawk Logo HawkDocs
vulnerabilities
90054

No results found

Try different keywords or check your spelling

Search documentation

Find guides, API references, and more

esc
Back to Index

GraphQL Introspection Exploit

Reference
Plugin ID: 90054 CWE: 200 WASC: 13 Medium Active Information Leakage
Resource

Remediation

To prevent GraphQL introspection exploitation, implement comprehensive schema security measures:

  1. Disable introspection in production: Completely disable introspection queries in production environments.

    Example (Apollo Server with environment-specific configuration):

    const server = new ApolloServer({
  typeDefs,
  resolvers,
  introspection: process.env.NODE_ENV === 'development',
  playground: process.env.NODE_ENV === 'development'
});

  2. Implement authentication for introspection: If introspection is required, restrict it to authenticated and authorized users only.

    Example (Conditional introspection based on user role):

    const server = new ApolloServer({
  typeDefs,
  resolvers,
  introspection: (req) => {
    const user = getUser(req);
    return user && user.role === 'developer';
  }
});

  3. Use field-level authorization: Implement granular field-level authorization to prevent unauthorized access to sensitive data.

    Example (GraphQL Shield for authorization):

    const { shield, rule, and, or } = require('graphql-shield');

const isAuthenticated = rule({ cache: 'contextual' })(
  async (parent, args, context) => {
    return context.user !== null;
  }
);

const permissions = shield({
  Query: {
    sensitiveField: isAuthenticated
  }
});

  4. Sanitize error messages: Ensure error messages don't reveal sensitive schema information or internal details.

About

This vulnerability extends beyond simple introspection detection to actively exploit enabled introspection for comprehensive schema extraction and analysis. The scan rule performs multi-step exploitation including full schema extraction, query/mutation/subscription enumeration, and sensitive field discovery. By leveraging introspection data, attackers can map the entire API surface area, identify sensitive operations, and discover potentially vulnerable fields or operations that can be targeted for further attacks.

Risks

The risks associated with GraphQL introspection exploitation include:

  • Complete schema enumeration: Attackers can extract the entire GraphQL schema, including all queries, mutations, subscriptions, and their associated types and fields.
  • Sensitive data discovery: Field names containing sensitive information (passwords, tokens, personal data) can be identified and targeted.
  • Attack vector identification: Knowledge of available mutations and subscriptions provides attackers with specific targets for privilege escalation or data manipulation attacks.
  • Business logic exposure: Schema structure and field relationships may reveal business logic, data models, and application functionality that should remain confidential.

Your privacy settings

We use first and third party cookies to ensure that we give you the best experience on our website and in our products.

Privacy Policy