GraphQL
ID |
graphql |
Severity |
info |
Kind |
Fingerprinting |
CWE |
16 |
Description
This detector covers three GraphQL-specific findings:
-
GraphQL Endpoint Supports Introspection (50007-1): The GraphQL endpoint has introspection enabled. Introspection allows clients to query the schema and retrieve detailed information about the fields, types, inputs, and mutations supported by the endpoint. This may be valuable to an attacker, as it enables them to discover the full API surface area and craft more targeted queries.
-
GraphQL Server Implementation Identified (50007-2): The GraphQL server engine has been fingerprinted. Identifying the server implementation (e.g., Apollo, Graphene, Hasura, AWS AppSync, Hot Chocolate) reveals the underlying technology stack, which can help attackers find engine-specific vulnerabilities or misconfigurations.
-
GraphQL Circular Type Reference (50007-3): A circular reference was detected in the GraphQL schema, where object types reference each other in a cycle. This can be exploited by attackers to craft deeply recursive queries, potentially leading to Denial of Service (DoS) conditions through excessive resource consumption.
Rationale
GraphQL introspection exposes the complete API schema including internal fields, types, and mutations that may not be documented publicly. Attackers leverage this information to discover hidden endpoints, understand authentication mechanisms, and identify input validation weaknesses. Server implementation fingerprinting reveals the technology stack, enabling targeted exploitation of known engine-specific vulnerabilities. Circular type references enable attackers to craft deeply nested recursive queries that consume excessive server resources, causing denial of service. Combined with introspection data, adversaries can systematically probe the API surface area for injection vulnerabilities and authorization flaws.
Remediation
-
Introspection: Disable introspection in production environments. Most GraphQL engines provide a configuration option to disable it (e.g.,
introspection: falsein Apollo Server,GRAPHENE_INTROSPECTION = Falsein Graphene). If introspection is required for development tools, restrict it to authenticated internal users only. -
Server fingerprinting: Remove or customize server identification headers and error messages that reveal the GraphQL engine in use. Configure the server to return generic error responses.
-
Circular references: Restructure the schema to avoid circular references where possible, using IDs or foreign keys instead of direct object references. Enforce query depth limits, query complexity analysis, and pagination to prevent abuse of deep nested queries.