Field suggestion¶

Description¶

If introspection is disabled on your target, Field Suggestion still allows users to infer the entire schema, with a tool like Clairvoyance. If you query a field with a typo, GraphQL will attempt to suggest fields close to what was requested. Example: Error: Cannot query field "createSesion" on type "RootMutation". Did you mean "createSession", "createUser", "createFile", or "createImage"?

Remediation¶

Disable Field Suggestion in production.

GraphQL Specific¶

Apollo

To address issues with the Apollo framework engine, ensure that you are using the latest stable version. Update your dependencies and check for any deprecated features that may need refactoring. Additionally, review the Apollo documentation for best practices on schema design, query optimization, and error handling to improve the performance and reliability of your GraphQL API.

Yoga

To address issues within the Yoga framework engine, ensure that you are using the latest stable version of the framework. Regularly update your dependencies to incorporate security patches and bug fixes. Additionally, follow best practices for error handling and input validation to prevent common vulnerabilities. If you encounter specific problems, consult the Yoga framework documentation or seek support from the community forums.

Awsappsync

To ensure the security and performance of your AWS AppSync GraphQL APIs, it is recommended to use parameterized queries to prevent injection attacks and to optimize query execution. Additionally, enable caching for frequently accessed data, monitor and set alarms for unusual patterns or error rates using Amazon CloudWatch, and manage data access by implementing fine-grained access control with AWS Identity and Access Management (IAM) roles and Amazon Cognito for authentication and authorization purposes.

Graphqlgo

To mitigate potential security risks in your GraphQL Go framework engine, ensure that all queries are properly validated and sanitized to prevent injection attacks. Use middleware for authentication and authorization to control access to sensitive data. Regularly update dependencies to incorporate security patches. Additionally, consider implementing rate limiting to protect against denial-of-service attacks.

Graphqlruby

Ensure that proper input validation is implemented to prevent GraphQL injection attacks. Use the built-in mechanisms for argument validation provided by the GraphQL Ruby framework. Additionally, consider implementing rate limiting and complexity analysis on queries to mitigate potential abuse.

Hasura

To ensure secure and efficient data handling with the Hasura framework engine, it is recommended to use parameterized queries to prevent SQL injection attacks. Additionally, regularly update the Hasura engine to the latest version to benefit from security patches and performance improvements. Implement role-based access control to restrict data access and operations according to user roles. Monitor the engine's performance and logs to detect and address any issues promptly. Lastly, consider using environment variables for sensitive information instead of hardcoding them into your application.

Agoo

Disable field suggestions in the Agoo framework to prevent schema inference through typo suggestions.

Ariadne

Disable field suggestions in the Ariadne framework to prevent schema inference through typo suggestions.

Caliban

Disable field suggestions in the Caliban framework to prevent schema inference through typo suggestions.

Dgraph

Disable field suggestions in Dgraph to prevent schema inference through typo suggestions.

Dianajl

Disable field suggestions in the DianaJL framework engine to prevent schema inference through typo suggestions.

Directus

Disable field suggestions in Directus to prevent schema inference through typo suggestions, enhancing security against tools like Clairvoyance.

Flutter

Disable debug mode in production to prevent exposure of sensitive information and improve app performance.

Graphene

Disable field suggestions in the Graphene framework to prevent schema inference through typo suggestions.

Graphqlapiforwp

Disable field suggestions in the GraphQL API for WP framework to prevent schema inference through typo suggestions.

Graphqlgophergo

Disable field suggestions in the GraphQLGopherGo framework to prevent schema inference through typo suggestions.

Graphqljava

Disable field suggestions in GraphQL Java to prevent schema inference through typo suggestions.

Graphqlphp

Disable field suggestions in the GraphQL PHP framework to prevent schema inference through typo suggestions. This can be done by configuring the server to not return suggestions for incorrect field names, thereby reducing the risk of exposing schema details inadvertently.

Graphqlyoga

Disable field suggestions in GraphQL Yoga to prevent schema inference through typo suggestions.

Hypergraphql

Disable field suggestions in the HyperGraphQL framework to prevent schema inference through typo-based suggestions.

Jaal

Disable field suggestions in the Jaal framework to prevent schema inference through typo suggestions.

Juniper

To mitigate schema inference risks in the Juniper framework, consider disabling field suggestions by customizing error messages or implementing a middleware to handle typos without revealing similar field names.

Lacinia

To enhance security in the Lacinia framework, consider disabling field suggestions to prevent schema inference through typo-based queries.

Lighthouse

Disable field suggestions in GraphQL to prevent schema inference through typo suggestions.

Mercurius

Disable field suggestions in Mercurius by setting the 'allowBatchedQueries' option to false to prevent schema inference through typo suggestions.

Morpheusgraphql

Disable field suggestions in MorpheusGraphQL to prevent schema inference through typo suggestions.

Qglgen

Disable field suggestions in gqlgen to prevent schema inference by setting 'NoFieldSuggestions: true' in your server configuration.

Sangria

Disable field suggestions in the Sangria framework to prevent schema inference through typo suggestions.

Shopify

Disable field suggestions in the Shopify framework to prevent schema inference through typo suggestions.

Stepzen

Disable field suggestions in the StepZen framework to prevent schema inference through typo-based suggestions.

Strawberry

Disable field suggestions in the Strawberry framework to prevent schema inference through typo-based suggestions.

Tartiflette

Disable field suggestions in the Tartiflette framework to prevent schema inference through typo suggestions.

Wpgraphql

Disable field suggestions in WPGraphQL to prevent schema inference through typo suggestions.

Configuration¶

Identifier: information_disclosure/graphql_field_suggestion

Examples¶

Ignore this check¶

checks:
  information_disclosure/graphql_field_suggestion:
    skip: true

Score¶

Escape Severity:

Compliance¶

OWASP: API7:2023
OWASP LLM: LLM06:2023
pci: 6.5.10
gdpr: Article-32
soc2: CC6
psd2: Article-95
iso27001: A.12.6
nist: SP800-53
fedramp: AC-6

Classification¶

CWE: 200

Score¶

CVSS_VECTOR: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:H/RL:O/RC:C
CVSS_SCORE: 5.1

References¶

https://blog.yeswehack.com/yeswerhackers/how-exploit-graphql-endpoint-bug-bounty/