Configuration: GraphQL Extension Disclosure¶

Identifier: graphql_extension_disclosure

Scanner(s) Support¶

GraphQL Scanner	REST Scanner	WebApp Scanner

Description¶

GraphQL Extension Disclosure happens when a GraphQL server unintentionally gives away too many internal details through its custom extensions. If sensitive information like your servers schema or the inner workings of its resolvers is exposed, attackers can use it to tailor attacks more precisely against your system. This typically happens when extra debugging or monitoring features are left enabled in a production environment, making it easier for someone with malicious intent to learn how your server is built and where its vulnerabilities lie. Always be cautious about what extra data your server sends outkeep any sensitive configuration details under wraps to reduce the risk of an attack.

Configuration¶

Example¶

Example configuration:

---
security_tests:
  graphql_extension_disclosure:
    assets_allowed:
    - GRAPHQL
    skip: false

Reference¶

`assets_allowed`¶

Type : List[AssetType]*

List of assets that this check will cover.

`skip`¶

Type : boolean

Skip the test if true.