Schema: Response Format¶

Identifier: graphql_response_format

Scanner(s) Support¶

GraphQL Scanner	REST Scanner	WebApp Scanner

Description¶

GraphQL itself isnt a vulnerability but rather a way to structure how data is returned from your API. The risk comes when the format or its error handling accidentally exposes more internal information than you intend. Imagine if a user makes an unexpected query or causes an errorif the response gives away too much detail, like internal logic or stack traces, an attacker can use that to learn how to manipulate your system. Developers sometimes rely on default error messages without filtering sensitive data, which can lead to greater attack surfaces. It's important to carefully control what you send back so that even when something goes wrong, you're not giving out clues about your inner workings.

References:

https://spec.graphql.org/October2021/#sec-Errors

Configuration¶

Example¶

Example configuration:

---
security_tests:
  graphql_response_format:
    assets_allowed:
    - GRAPHQL
    skip: false

Reference¶

`assets_allowed`¶

Type : List[AssetType]*

List of assets that this check will cover.

`skip`¶

Type : boolean

Skip the test if true.