Skip to content

Schema: Undefined objects

Identifier: undefined_object

Scanner(s) Support

GraphQL Scanner REST Scanner WebApp Scanner

Description

When you use generic built-in objects in your GraphQL schema without defining custom rules or structure, you're essentially leaving a back door open where unexpected data can slip in unchecked. This lack of structure means there's no set pattern for what data should look like, making it easier for attackers to introduce harmful or malformed inputs. The risk is that these undefined objects can lead to security breaches or errors that compromise the entire application if not properly validated. It's a common pitfall when developers assume built-in types are secure by default, instead of taking extra steps to enforce strict data definitions.

Configuration

Example

Example configuration:

---
security_tests:
  undefined_object:
    assets_allowed:
    - REST
    - GRAPHQL
    - WEBAPP
    skip: false

Reference

assets_allowed

Type : List[AssetType]*

List of assets that this check will cover.

skip

Type : boolean

Skip the test if true.