Information Disclosure: Introspection enabled¶

Identifier: introspection_enabled

Scanner(s) Support¶

GraphQL Scanner	REST Scanner	WebApp Scanner

Description¶

Enabling introspection in a GraphQL API means that anyone can ask the server for detailed information about its structure, which can give attackers a clear picture of potential weak spots. This can lead to risks like exposing hidden fields, types, and operations that may not be documented or intended for public use. If developers forget to disable introspection in production, it can make the system easier to exploit, potentially allowing attackers to craft queries that reveal or manipulate sensitive data.

References:

https://www.apollographql.com/blog/graphql/security/why-you-should-disable-graphql-introspection-in-production/

Configuration¶

Example¶

Example configuration:

---
security_tests:
  introspection_enabled:
    assets_allowed:
    - REST
    - GRAPHQL
    - WEBAPP
    skip: false

Reference¶

`assets_allowed`¶

Type : List[AssetType]*

List of assets that this check will cover.

`skip`¶

Type : boolean

Skip the test if true.