HawkScan Test Info for GraphQL Introspection Exploit

GraphQL Introspection Exploit

Reference

Plugin Id: 90054 | CWE: 200

Resource

https://cheatsheetseries.owasp.org/cheatsheets/GraphQL_Cheat_Sheet.html

Remediation

To prevent GraphQL introspection exploitation, implement comprehensive schema security measures:

Disable introspection in production: Completely disable introspection queries in production environments.

Example (Apollo Server with environment-specific configuration):

const server = new ApolloServer({
  typeDefs,
  resolvers,
  introspection: process.env.NODE_ENV === 'development',
  playground: process.env.NODE_ENV === 'development'
});

Implement authentication for introspection: If introspection is required, restrict it to authenticated and authorized users only.

Example (Conditional introspection based on user role):

const server = new ApolloServer({
  typeDefs,
  resolvers,
  introspection: (req) => {
    const user = getUser(req);
    return user && user.role === 'developer';
  }
});

Use field-level authorization: Implement granular field-level authorization to prevent unauthorized access to sensitive data.

Example (GraphQL Shield for authorization):

const { shield, rule, and, or } = require('graphql-shield');
   
const isAuthenticated = rule({ cache: 'contextual' })(
  async (parent, args, context) => {
    return context.user !== null;
  }
);
   
const permissions = shield({
  Query: {
    sensitiveField: isAuthenticated
  }
});

Sanitize error messages: Ensure error messages don’t reveal sensitive schema information or internal details.

About

This vulnerability extends beyond simple introspection detection to actively exploit enabled introspection for comprehensive schema extraction and analysis. The scan rule performs multi-step exploitation including full schema extraction, query/mutation/subscription enumeration, and sensitive field discovery. By leveraging introspection data, attackers can map the entire API surface area, identify sensitive operations, and discover potentially vulnerable fields or operations that can be targeted for further attacks.

Risks

The risks associated with GraphQL introspection exploitation include:

Complete schema enumeration: Attackers can extract the entire GraphQL schema, including all queries, mutations, subscriptions, and their associated types and fields.
Sensitive data discovery: Field names containing sensitive information (passwords, tokens, personal data) can be identified and targeted.
Attack vector identification: Knowledge of available mutations and subscriptions provides attackers with specific targets for privilege escalation or data manipulation attacks.
Business logic exposure: Schema structure and field relationships may reveal business logic, data models, and application functionality that should remain confidential.