Skip to main content

Introspection enabled

Description

GraphQL introspection enables you to query a GraphQL server for information about the underlying schema, including data like types, fields, queries, mutations, and even the field-level descriptions. It discloses sensitive information that potentially allows an attacker to design malicious operations.

Remediation

Introspection should primarily be used as a discovery and diagnostic tool when we're in the development phase of building out GraphQL APIs. While it's still possible for bad actors to learn how to write malicious queries by reverse engineering your GraphQL API through a lot of trial and error, disabling introspection is a form of security by obscurity.

GraphQL Specific

Apollo

Ensure that introspection is only enabled in development environments to prevent potential information leakage about the GraphQL schema. In production, disable introspection to enhance the security posture of the Apollo framework engine.

Yoga

Ensure that the Yoga framework engine has introspection queries disabled in production environments to prevent potential information leakage about the schema structure. This can be achieved by setting the 'introspection' option to false within the Yoga server configuration. Additionally, consider implementing proper authentication and authorization mechanisms to control access to the GraphQL API.

Awsappsync

Ensure that AWS AppSync resolvers are not exposing sensitive data or overly permissive operations. Review the schema and resolver mappings to enforce least privilege access, and utilize AWS Identity and Access Management (IAM) roles and policies to control access to AWS resources. Regularly audit your GraphQL queries and mutations for security risks and apply appropriate authorization checks.

Graphqlgo

Ensure that the GraphQL Go framework engine has introspection queries disabled in production environments to prevent potential information leakage about the schema. Configure the server to conditionally enable introspection only for authorized development or staging environments.

Graphqlruby

Disable introspection queries in production by setting the introspection configuration to false within the GraphQL schema definition. This helps prevent potential attackers from discovering the API's structure and available queries.

Hasura

To mitigate security risks in the Hasura framework, ensure that introspection is disabled for production environments. Introspection allows clients to query the schema of your GraphQL API, which can expose the structure and available operations to potential attackers. Disable introspection by setting the 'HASURA_GRAPHQL_ENABLE_INTROSPECTION' environment variable to 'false' in your production environment configuration. Additionally, consider implementing proper authentication and authorization mechanisms to control access to your GraphQL API.

Configuration

Identifier: information_disclosure/introspection_enabled

Examples

Ignore this check

checks:
information_disclosure/introspection_enabled:
skip: true

Score

  • Escape Severity: INFO

Compliance

  • OWASP: API7:2023

  • pci: 6.5.10

  • gdpr: Article-32

  • soc2: CC6

  • psd2: Article-95

  • iso27001: A.12.6

  • nist: SP800-95

  • fedramp: SC-7

Classification

  • CWE: 215

Score

  • CVSS_VECTOR: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:F/RL:O/RC:C
  • CVSS_SCORE: 4.9

References