Security Test: GraphQL Response Format¶
Description¶
Default Severity:
GraphQL itself isn’t a vulnerability but rather a way to structure how data is returned from your API. The risk comes when the format or its error handling accidentally exposes more internal information than you intend. Imagine if a user makes an unexpected query or causes an error—if the response gives away too much detail, like internal logic or stack traces, an attacker can use that to learn how to manipulate your system. Developers sometimes rely on default error messages without filtering sensitive data, which can lead to greater attack surfaces. It's important to carefully control what you send back so that even when something goes wrong, you're not giving out clues about your inner workings.
Reference:
Configuration¶
Identifier:
schema/graphql_response_format
Examples¶
All configuration available:
Compliance and Standards¶
Standard | Value |
---|---|
OWASP API Top 10 | API9:2023 |
OWASP LLM Top 10 | LLM02:2023 |
PCI DSS | 6.5.1 |
GDPR | Article-5 |
SOC2 | CC6 |
PSD2 | Article-98 |
ISO 27001 | A.12.1 |
NIST | SP800-95 |
FedRAMP | SI-10 |
CWE | 20 |
CVSS Vector | AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |