GraphQL Introspection

GraphQL Introspection attack is an "Information Disclosure" and “Misconfiguration” vulnerability, the function is not limited to internal calls and instead is opened to the world allowing any caller to get the full API schema, which can lead to data disclosure, and data leaks, it can be also used by the attacker to get information about non-public API calls.

Information Disclosure

The issue can be found on the graphQL configuration server side.

• Restrict access to introspection queries.
• Implement input validation.
• Implement security measures to prevent abusive queries.
• Timeouts: restrict the amount of time that a query is permitted to run.
  • Maximum query depth: limit the depth of allowed queries, which may prevent queries that are too deep from abusing resources.
  • Set maximum query complexity: limit the complexity of queries to mitigate the abuse of GraphQL resources.
  • Use server-time-based throttling: limit the amount of server time a user can consume.
  • Use query-complexity-based throttling: limit the total complexity of queries a user can consume.
• Send generic error messages: use generic error messages that do not reveal details of the deployment.
• Mitigate batching attacks:
  • Add object request rate limiting in code.
  • Prevent batching for sensitive objects.
  • Limit the number of queries that can run at one time

• CWE-200
• CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

• https://blog.yeswehack.com/yeswerhackers/how-exploit-graphql-endpoint-bug-bounty/
• https://github.com/danielmiessler/SecLists/blob/fe2aa9e7b04b98d94432320d09b5987f39a17de8/Discovery/Web-Content/graphql.txt
• https://appcheck-ng.com/wp-content/uploads/GraphQLSample.pdf
• https://owasp.org/www-project-web-security-testing-guide/v42/4-Web_Application_Security_Testing/12-API_Testing/01-Testing_GraphQL
• https://pentesterlab.com/exercises/graphql/course