GraphQL Field Suggestions Detected

medium Web Application Scanning Plugin ID 112895

Synopsis

GraphQL Field Suggestions Detected

Description

GraphQL is an open-source query and manipulation language for APIs and a server-side runtime built to handle these queries on the application dataset. By default, GraphQL has a feature which suggests field names to be used in the queries or mutations from the wrong ones provided in the received requests. By leveraging this capability, an attacker could conduct a bruteforce attack to discover the GraphQL schema and potential hidden or private endpoints, and could try accessing sensitive information or performing arbitrary actions on the target server.

The scanner detected that the remote GraphQL server has field suggestions enabled.

Solution

Disable the suggestion feature if possible in the GraphQL implementation used, or try to consider using one which allows this to be done.

See Also

https://cheatsheetseries.owasp.org/cheatsheets/GraphQL_Cheat_Sheet.html

https://blog.logrocket.com/security-and-performance-tips-and-tricks-for-your-graphql-servers/

Plugin Details

Severity: Medium

ID: 112895

Type: remote

Published: 7/19/2021

Updated: 9/7/2021

Scan Template: api, scan, pci

Risk Information

CVSS v2

Risk Factor: Medium

Base Score: 5

Vector: AV:N/AC:L/Au:N/C:P/I:N/A:N

CVSS Score Source: Tenable

CVSS v3

Risk Factor: Medium

Base Score: 5.3

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

CVSS Score Source: Tenable

Reference Information