These docs are for v1.1. Click to read the latest docs for v1.2.

GraphQL Introspection

Severity: Medium
Test name: GraphQL introspection
Summary

GraphQL Introspection attack is an "Information Disclosure" and “Misconfiguration” vulnerability, the function is not limited to internal calls and instead is opened to the world allowing any caller to get the full API schema, which can lead to data disclosure, and data leaks, it can be also used by the attacker to get information about non-public API calls.

Impact

Information Disclosure

Location

The issue can be found on the graphQL configuration server side.

Remedy suggestions
  • Restrict access to introspection queries.
  • Implement input validation.
  • Implement security measures to prevent abusive queries.
  • Timeouts: restrict the amount of time that a query is permitted to run.
    • Maximum query depth: limit the depth of allowed queries, which may prevent queries that are too deep from abusing resources.
    • Set maximum query complexity: limit the complexity of queries to mitigate the abuse of GraphQL resources.
    • Use server-time-based throttling: limit the amount of server time a user can consume.
    • Use query-complexity-based throttling: limit the total complexity of queries a user can consume.
  • Send generic error messages: use generic error messages that do not reveal details of the deployment.
  • Mitigate batching attacks:
    • Add object request rate limiting in code.
    • Prevent batching for sensitive objects.
    • Limit the number of queries that can run at one time
Classifications
  • CWE-200
  • CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
References