GraphQL Field Suggestions Detected

medium Web App Scanning Plugin ID 112895

Synopsis

GraphQL Field Suggestions Detected

Description

GraphQL is an open-source query and manipulation language for APIs and a server-side runtime built to handle these queries on the application dataset. By default, GraphQL has a feature which suggests field names to be used in the queries or mutations from the wrong ones provided in the received requests. By leveraging this capability, an attacker could conduct a bruteforce attack to discover the GraphQL schema and potential hidden or private endpoints, and could try accessing sensitive information or performing arbitrary actions on the target server.

The scanner detected that the remote GraphQL server has field suggestions enabled.

Solution

Disable the suggestion feature if possible in the GraphQL implementation used, or try to consider using one which allows this to be done.

See Also

https://blog.logrocket.com/security-and-performance-tips-and-tricks-for-your-graphql-servers/

https://cheatsheetseries.owasp.org/cheatsheets/GraphQL_Cheat_Sheet.html

https://escape.tech/blog/graphql-verbose-error-suggestions

Plugin Details

Severity: Medium

ID: 112895

Type: remote

Published: 7/19/2021

Updated: 9/7/2021

Scan Template: api, basic, full, pci, scan

Risk Information

VPR

Risk Factor: Low

Score: 1.4

CVSS v2

Risk Factor: Medium

Base Score: 5

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N

CVSS Score Source: Tenable

CVSS v3

Risk Factor: Medium

Base Score: 5.3

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

CVSS Score Source: Tenable

Reference Information