Skip to content

Introspection enabled

Description

GraphQL introspection enables you to query a GraphQL server for information about the underlying schema, including data like types, fields, queries, mutations, and even the field-level descriptions. It discloses sensitive information that potentially allows an attacker to design malicious operations.

Remediation

Introspection should primarily be used as a discovery and diagnostic tool when we're in the development phase of building out GraphQL APIs. While it's still possible for bad actors to learn how to write malicious queries by reverse engineering your GraphQL API through a lot of trial and error, disabling introspection is a form of security by obscurity.

GraphQL Specific

Apollo Ensure that introspection is only enabled in development environments to prevent potential information leakage about the GraphQL schema. In production, disable introspection to enhance the security posture of the Apollo framework engine.
Yoga Ensure that the Yoga framework engine has introspection queries disabled in production environments to prevent potential information leakage about the schema structure. This can be achieved by setting the 'introspection' option to false within the Yoga server configuration. Additionally, consider implementing proper authentication and authorization mechanisms to control access to the GraphQL API.
Awsappsync Ensure that AWS AppSync resolvers are not exposing sensitive data or overly permissive operations. Review the schema and resolver mappings to enforce least privilege access, and utilize AWS Identity and Access Management (IAM) roles and policies to control access to AWS resources. Regularly audit your GraphQL queries and mutations for security risks and apply appropriate authorization checks.
Graphqlgo Ensure that the GraphQL Go framework engine has introspection queries disabled in production environments to prevent potential information leakage about the schema. Configure the server to conditionally enable introspection only for authorized development or staging environments.
Graphqlruby Disable introspection queries in production by setting the `introspection` configuration to `false` within the GraphQL schema definition. This helps prevent potential attackers from discovering the API's structure and available queries.
Hasura To mitigate security risks in the Hasura framework, ensure that introspection is disabled for production environments. Introspection allows clients to query the schema of your GraphQL API, which can expose the structure and available operations to potential attackers. Disable introspection by setting the 'HASURA_GRAPHQL_ENABLE_INTROSPECTION' environment variable to 'false' in your production environment configuration. Additionally, consider implementing proper authentication and authorization mechanisms to control access to your GraphQL API.
Agoo Disable GraphQL introspection in the Agoo framework engine to prevent exposure of sensitive schema information to unauthorized users.
Ariadne Disable introspection in production by setting the 'introspection' option to 'False' in the Ariadne GraphQL server configuration to prevent exposure of sensitive schema information.
Caliban Disable introspection in production environments to prevent exposure of sensitive schema information.
Dgraph Disable introspection queries in production environments to prevent exposure of sensitive schema information.
Dianajl Disable GraphQL introspection in production environments to prevent exposure of sensitive schema information.
Directus Disable GraphQL introspection in production environments to prevent unauthorized access to schema details and reduce the risk of exposing sensitive information.
Flutter Disable debug mode in Flutter applications before production release to prevent exposure of sensitive information and ensure optimized performance.
Graphene Disable introspection queries in production by setting the 'introspection' option to 'False' in the Graphene framework configuration to prevent exposure of sensitive schema information.
Graphqlapiforwp Disable GraphQL introspection in production environments to prevent exposure of sensitive schema information.
Graphqlgophergo Disable GraphQL introspection in production environments to prevent exposure of sensitive schema information.
Graphqljava Disable introspection queries in production environments to prevent exposure of sensitive schema information.
Graphqlphp Disable introspection queries in production by setting the 'introspection' option to 'false' in the GraphQLPHP server configuration to prevent exposure of sensitive schema information.
Graphqlyoga Disable introspection in production environments to prevent exposure of sensitive schema information.
Hypergraphql Disable introspection queries in production environments to prevent exposure of sensitive schema information.
Jaal Disable GraphQL introspection in production environments to prevent exposure of sensitive schema information.
Juniper Disable GraphQL introspection in production environments to prevent unauthorized access to schema details and reduce the risk of exposing sensitive information.
Lacinia Disable introspection in the Lacinia framework to prevent exposure of sensitive schema information to unauthorized users.
Lighthouse Disable GraphQL introspection in production environments to prevent exposure of sensitive schema information.
Mercurius Disable introspection in production by setting the 'graphiql' option to 'false' in the Mercurius configuration to prevent schema exposure.
Morpheusgraphql Disable introspection queries in the Morpheus GraphQL framework engine to prevent unauthorized access to schema details and reduce the risk of exposing sensitive information.
Qglgen Disable introspection queries in production by setting the 'DisableIntrospection' option to true in the gqlgen configuration to prevent exposure of sensitive schema information.
Sangria Disable introspection queries in the Sangria framework by setting the 'introspection' option to 'false' in the server configuration to prevent exposure of sensitive schema information.
Shopify Disable GraphQL introspection in production environments to prevent unauthorized access to schema details and reduce the risk of exposing sensitive information.
Stepzen Disable introspection in production environments to prevent exposure of sensitive schema information.
Strawberry Disable introspection in production environments to prevent exposure of sensitive schema information.
Tartiflette Disable introspection in the Tartiflette engine by setting the 'enable_introspection' option to 'False' in your configuration to prevent exposure of sensitive schema information.
Wpgraphql Disable introspection queries in production environments to prevent exposure of sensitive schema information.

Configuration

Identifier: information_disclosure/introspection_enabled

Examples

Ignore this check

checks:
  information_disclosure/introspection_enabled:
    skip: true

Score

  • Escape Severity:

Compliance

  • OWASP: API7:2023
  • OWASP LLM: LLM06:2023
  • pci: 6.5.10
  • gdpr: Article-32
  • soc2: CC6
  • psd2: Article-95
  • iso27001: A.12.6
  • nist: SP800-95
  • fedramp: SC-7

Classification

  • CWE: 215

Score

  • CVSS_VECTOR: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:F/RL:O/RC:C
  • CVSS_SCORE: 4.9

References