GraphQL Introspection Enabled

medium Web Application Scanning Plugin ID 112894

Synopsis

GraphQL Introspection Enabled

Description

GraphQL is an open-source query and manipulation language for APIs and a server-side runtime built to handle these queries on the application dataset. GraphQL introspection allows to query all information related to the supported schema and queries on a GraphQL server instance. By leveraging this misconfiguration, an attacker could retrieve sensitive information or conduct further attacks on the discovered endpoints.

The scanner detected that GraphQL introspection is enabled on one of several endpoints of the target application.

Solution

Restrict GraphQL introspection feature to authorized users only, or disable it.

See Also

https://graphql.org/learn/introspection/

https://cheatsheetseries.owasp.org/cheatsheets/GraphQL_Cheat_Sheet.html

https://www.apollographql.com/blog/graphql/security/why-you-should-disable-graphql-introspection-in-production/

Plugin Details

Severity: Medium

ID: 112894

Type: remote

Published: 7/12/2021

Updated: 9/7/2021

Scan Template: api, scan, pci

Risk Information

CVSS v2

Risk Factor: Medium

Base Score: 5

Vector: AV:N/AC:L/Au:N/C:P/I:N/A:N

CVSS Score Source: Tenable

CVSS v3

Risk Factor: Medium

Base Score: 5.3

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

CVSS Score Source: Tenable

Reference Information