HawkScan Test Info for GraphQL Field Suggestions Exploit

GraphQL Field Suggestions Exploit

Reference

Plugin Id: 90055 | CWE: 400

Resource

https://cheatsheetseries.owasp.org/cheatsheets/GraphQL_Cheat_Sheet.html

Remediation

To prevent GraphQL field suggestion exploitation, implement the following security measures:

Disable field suggestions in production: Configure your GraphQL server to disable field suggestions and auto-completion features in production environments.

Example (Apollo Server with custom validation):

const { GraphQLError } = require('graphql');
   
const noFieldSuggestionsRule = (context) => {
  return {
    Field(node) {
      const fieldName = node.name.value;
      const parentType = context.getParentType();
      const field = parentType.getFields()[fieldName];
         
      if (!field) {
        throw new GraphQLError(
          'Invalid field',
          [node],
          undefined,
          undefined,
          undefined,
          undefined,
          { code: 'INVALID_FIELD' }
        );
      }
    }
  };
};
   
const server = new ApolloServer({
  typeDefs,
  resolvers,
  validationRules: [noFieldSuggestionsRule]
});

Implement proper error handling: Ensure error messages don’t reveal field names, schema structure, or provide helpful suggestions to attackers.

Example (Custom error formatting):

const server = new ApolloServer({
  typeDefs,
  resolvers,
  formatError: (error) => {
    // Remove field suggestions from error messages
    if (error.message.includes('Did you mean')) {
      return new Error('Invalid query syntax');
    }
    return error;
  }
});

Use query validation without hints: Implement strict query validation that rejects malformed queries without providing corrective suggestions.
Implement field-level security: Use field-level authorization to ensure sensitive fields are not accessible even if discovered.

About

GraphQL field suggestion vulnerabilities occur when GraphQL servers provide helpful error messages or auto-completion features that reveal information about the schema structure. When clients send queries with misspelled or non-existent field names, many GraphQL implementations respond with “Did you mean…” suggestions or similar helpful error messages. While designed to improve developer experience, these features can be exploited by attackers to systematically discover hidden fields, internal functionality, or sensitive schema elements that should not be publicly known.

Risks

The risks associated with GraphQL field suggestions include:

Hidden field discovery: Attackers can use misspelled field names to discover similar or related fields that may not be documented or intended for external access.
Schema structure revelation: Error messages providing field suggestions can reveal the internal organization and naming conventions of the GraphQL schema.
Sensitive field enumeration: Through systematic probing with common field name patterns, attackers can identify fields containing sensitive information (passwords, tokens, personal data).
Internal functionality exposure: Field suggestions may reveal administrative functions, debugging endpoints, or internal operations that should remain hidden from external users.