Skip to content

Security Test: GraphQL Response Format

Description

Default Severity:

GraphQL itself isn’t a vulnerability but rather a way to structure how data is returned from your API. The risk comes when the format or its error handling accidentally exposes more internal information than you intend. Imagine if a user makes an unexpected query or causes an error—if the response gives away too much detail, like internal logic or stack traces, an attacker can use that to learn how to manipulate your system. Developers sometimes rely on default error messages without filtering sensitive data, which can lead to greater attack surfaces. It's important to carefully control what you send back so that even when something goes wrong, you're not giving out clues about your inner workings.

Reference:

Configuration

Identifier: schema/graphql_response_format

Examples

All configuration available:

checks:
  schema/graphql_response_format:
    skip: false # default

Compliance and Standards

Standard Value
OWASP API Top 10 API9:2023
OWASP LLM Top 10 LLM02:2023
PCI DSS 6.5.1
GDPR Article-5
SOC2 CC6
PSD2 Article-98
ISO 27001 A.12.1
NIST SP800-95
FedRAMP SI-10
CWE 20
CVSS Vector AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H