Security Test: GraphQL Response Format¶

Scanner(s) Support¶

GraphQL Scanner	REST Scanner	Frontend Scanner

Description¶

Default Severity:

GraphQL itself isn’t a vulnerability but rather a way to structure how data is returned from your API. The risk comes when the format or its error handling accidentally exposes more internal information than you intend. Imagine if a user makes an unexpected query or causes an error—if the response gives away too much detail, like internal logic or stack traces, an attacker can use that to learn how to manipulate your system. Developers sometimes rely on default error messages without filtering sensitive data, which can lead to greater attack surfaces. It's important to carefully control what you send back so that even when something goes wrong, you're not giving out clues about your inner workings.

Reference:

https://spec.graphql.org/October2021/#sec-Errors

Configuration¶

Identifier: schema/graphql_response_format

Examples¶

All configuration available:

checks:
  schema/graphql_response_format:
    skip: false # default

Compliance and Standards¶

Standard	Value
OWASP API Top 10	API9:2023
OWASP LLM Top 10	LLM02:2023
PCI DSS	`6.5.1`
GDPR	`Article-5`
SOC2	`CC6`
PSD2	`Article-98`
ISO 27001	`A.12.1`
NIST	`SP800-95`
FedRAMP	`SI-10`
CWE	`20`
CVSS Vector	`AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H`