Introspection enabled
Description
GraphQL introspection enables you to query a GraphQL server for information about the underlying schema, including data like types, fields, queries, mutations, and even the field-level descriptions. It discloses sensitive information that potentially allows an attacker to design malicious operations.
Remediation
Introspection should primarily be used as a discovery and diagnostic tool when we're in the development phase of building out GraphQL APIs. While it's still possible for bad actors to learn how to write malicious queries by reverse engineering your GraphQL API through a lot of trial and error, disabling introspection is a form of security by obscurity.
GraphQL Specific
Apollo
Ensure that introspection is only enabled in development environments to prevent potential information leakage about the GraphQL schema. In production, disable introspection to enhance the security posture of the Apollo framework engine.
Yoga
Ensure that the Yoga framework engine has introspection queries disabled in production environments to prevent potential information leakage about the schema structure. This can be achieved by setting the 'introspection' option to false within the Yoga server configuration. Additionally, consider implementing proper authentication and authorization mechanisms to control access to the GraphQL API.
Awsappsync
Ensure that AWS AppSync resolvers are not exposing sensitive data or overly permissive operations. Review the schema and resolver mappings to enforce least privilege access, and utilize AWS Identity and Access Management (IAM) roles and policies to control access to AWS resources. Regularly audit your GraphQL queries and mutations for security risks and apply appropriate authorization checks.
Graphqlgo
Ensure that the GraphQL Go framework engine has introspection queries disabled in production environments to prevent potential information leakage about the schema. Configure the server to conditionally enable introspection only for authorized development or staging environments.
Graphqlruby
Disable introspection queries in production by setting the introspection configuration to false within the GraphQL schema definition. This helps prevent potential attackers from discovering the API's structure and available queries.
Hasura
To mitigate security risks in the Hasura framework, ensure that introspection is disabled for production environments. Introspection allows clients to query the schema of your GraphQL API, which can expose the structure and available operations to potential attackers. Disable introspection by setting the 'HASURA_GRAPHQL_ENABLE_INTROSPECTION' environment variable to 'false' in your production environment configuration. Additionally, consider implementing proper authentication and authorization mechanisms to control access to your GraphQL API.
Configuration
Identifier:
information_disclosure/introspection_enabled
Examples
Ignore this check
checks:
information_disclosure/introspection_enabled:
skip: true
Score
- Escape Severity: INFO
Compliance
OWASP: API7:2023
pci: 6.5.10
gdpr: Article-32
soc2: CC6
psd2: Article-95
iso27001: A.12.6
nist: SP800-95
fedramp: SC-7
Classification
- CWE: 215
Score
- CVSS_VECTOR: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:F/RL:O/RC:C
- CVSS_SCORE: 4.9