Security Test: GraphQL IDE¶
Description¶
Default Severity:
A GraphQL IDE is a tool that lets you interact with your GraphQL endpoint, but if it's not properly secured, it can reveal too much about your API’s inner workings. This extra information might help an attacker craft harmful queries or even overload your system, leading to potential data leaks or service disruptions. Often, developers forget to disable introspection and other development-only features when moving to production, which leaves the door open for attackers who exploit these weaknesses. It's important to lock down access and carefully control what the IDE exposes so that your API doesn’t inadvertently hand out its blueprint to the wrong people.
Configuration¶
Identifier:
configuration/ide_enabled
Examples¶
All configuration available:
Compliance and Standards¶
| Standard | Value |
|---|---|
| OWASP API Top 10 | API7:2023 |
| OWASP LLM Top 10 | LLM06:2023 |
| PCI DSS | 6.5.1 |
| GDPR | Article-32 |
| SOC2 | CC1 |
| PSD2 | Article-95 |
| ISO 27001 | A.14.2 |
| NIST | SP800-53 |
| FedRAMP | AC-6 |
| CWE | 200 |
| CVSS Vector | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:P/RL:O/RC:C |
| CVSS Score | 4.8 |