Security Test: GraphQL Extension Disclosure¶
Description¶
Default Severity:
GraphQL Extension Disclosure happens when a GraphQL server unintentionally gives away too many internal details through its custom extensions. If sensitive information like your server’s schema or the inner workings of its resolvers is exposed, attackers can use it to tailor attacks more precisely against your system. This typically happens when extra debugging or monitoring features are left enabled in a production environment, making it easier for someone with malicious intent to learn how your server is built and where its vulnerabilities lie. Always be cautious about what extra data your server sends out—keep any sensitive configuration details under wraps to reduce the risk of an attack.
Configuration¶
Identifier:
configuration/graphql_extension_disclosure
Examples¶
All configuration available:
Compliance and Standards¶
| Standard | Value |
|---|---|
| OWASP API Top 10 | API8:2023 |
| OWASP LLM Top 10 | LLM06:2023 |
| PCI DSS | 6.5.10 |
| GDPR | Article-32 |
| SOC2 | CC6 |
| PSD2 | Article-95 |
| ISO 27001 | A.13.1 |
| NIST | SP800-95 |
| FedRAMP | AC-6 |
| CWE | 16 |
| CVSS Vector | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N |
| CVSS Score | 4.3 |