Security Test: Introspection enabled¶

Description¶

Default Severity:

Enabling introspection in a GraphQL API means that anyone can ask the server for detailed information about its structure, which can give attackers a clear picture of potential weak spots. This can lead to risks like exposing hidden fields, types, and operations that may not be documented or intended for public use. If developers forget to disable introspection in production, it can make the system easier to exploit, potentially allowing attackers to craft queries that reveal or manipulate sensitive data.

Reference:

https://www.apollographql.com/blog/graphql/security/why-you-should-disable-graphql-introspection-in-production/

Configuration¶

Identifier: information_disclosure/introspection_enabled

Examples¶

All configuration available:

checks:
  information_disclosure/introspection_enabled:
    skip: false # default

Compliance and Standards¶

Standard	Value
OWASP API Top 10	API7:2023
OWASP LLM Top 10	LLM06:2023
PCI DSS	`6.5.10`
GDPR	`Article-32`
SOC2	`CC6`
PSD2	`Article-95`
ISO 27001	`A.12.6`
NIST	`SP800-95`
FedRAMP	`SC-7`
CWE	`215`
CVSS Vector	`CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:F/RL:O/RC:C`
CVSS Score	`4.9`