Information Disclosure: GraphQL Field Suggestion¶

Identifier: graphql_field_suggestion

Scanner(s) Support¶

GraphQL Scanner	REST Scanner	WebApp Scanner	ASM Scanner

Description¶

GraphQL error messages may suggest valid fields from the backend schema when queries contain typos, potentially revealing schema structure and helping attackers understand the API.

How we test: We send GraphQL queries with intentional typos in field names and analyze error messages to detect if the server suggests valid field names. We check if error messages leak schema information that could help attackers map the API structure.

References:

https://blog.yeswehack.com/yeswerhackers/how-exploit-graphql-endpoint-bug-bounty/

Configuration¶

Example¶

Example configuration:

---
security_tests:
  graphql_field_suggestion:
    skip: false

Reference¶

`skip`¶

Type : boolean

Skip the test if true.