Information Disclosure: Introspection enabled¶

Identifier: introspection_enabled

Scanner(s) Support¶

GraphQL Scanner	REST Scanner	WebApp Scanner	ASM Scanner

Description¶

GraphQL introspection allows anyone to query the API schema for detailed information about available types, fields, and operations, potentially exposing hidden functionality and attack surfaces.

How we test: We attempt to execute GraphQL introspection queries to retrieve the complete API schema. If introspection is enabled, we can discover all available queries, mutations, types, and fields, which may reveal sensitive operations or undocumented functionality.

References:

https://www.apollographql.com/blog/graphql/security/why-you-should-disable-graphql-introspection-in-production/

Configuration¶

Example¶

Example configuration:

---
security_tests:
  introspection_enabled:
    skip: false

Reference¶

`skip`¶

Type : boolean

Skip the test if true.