Field suggestion
Description
If introspection is disabled on your target, Field Suggestion still allow users infer the entire schema, with a tool like Clairvoyance. If you query a field with a typo, GraphQL will attempt to suggest fields close to what was requested. Example: Error: Cannot query field "createSesion" on type "RootMutation". Did you mean "createSession", "createUser", "createFile", or "createImage"?
Remediation
Disable Field Suggestion in production.
GraphQL Specific
Apollo
To address issues with the Apollo framework engine, ensure that you are using the latest stable version. Update your dependencies and check for any deprecated features that may need refactoring. Additionally, review the Apollo documentation for best practices on schema design, query optimization, and error handling to improve the performance and reliability of your GraphQL API.
Yoga
To address issues within the Yoga framework engine, ensure that you are using the latest stable version of the framework. Regularly update your dependencies to incorporate security patches and bug fixes. Additionally, follow best practices for error handling and input validation to prevent common vulnerabilities. If you encounter specific problems, consult the Yoga framework documentation or seek support from the community forums.
Awsappsync
To ensure the security and performance of your AWS AppSync GraphQL APIs, it is recommended to use parameterized queries to prevent injection attacks and to optimize query execution. Additionally, enable caching for frequently accessed data, monitor and set alarms for unusual patterns or error rates using Amazon CloudWatch, and manage data access by implementing fine-grained access control with AWS Identity and Access Management (IAM) roles and Amazon Cognito for authentication and authorization purposes.
Graphqlgo
To mitigate potential security risks in your GraphQL Go framework engine, ensure that all queries are properly validated and sanitized to prevent injection attacks. Use middleware for authentication and authorization to control access to sensitive data. Regularly update dependencies to incorporate security patches. Additionally, consider implementing rate limiting to protect against denial-of-service attacks.
Graphqlruby
Ensure that proper input validation is implemented to prevent GraphQL injection attacks. Use the built-in mechanisms for argument validation provided by the GraphQL Ruby framework. Additionally, consider implementing rate limiting and complexity analysis on queries to mitigate potential abuse.
Hasura
To ensure secure and efficient data handling with the Hasura framework engine, it is recommended to use parameterized queries to prevent SQL injection attacks. Additionally, regularly update the Hasura engine to the latest version to benefit from security patches and performance improvements. Implement role-based access control to restrict data access and operations according to user roles. Monitor the engine's performance and logs to detect and address any issues promptly. Lastly, consider using environment variables for sensitive information instead of hardcoding them into your application.
Configuration
Identifier:
information_disclosure/graphql_field_suggestion
Examples
Ignore this check
checks:
information_disclosure/graphql_field_suggestion:
skip: true
Score
- Escape Severity: MEDIUM
Compliance
- OWASP: API7:2023
- pci: 6.5.10
- gdpr: Article-32
- soc2: CC6
- psd2: Article-95
- iso27001: A.12.6
- nist: SP800-53
- fedramp: AC-6
Classification
Score
- CVSS_VECTOR: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:H/RL:O/RC:C
- CVSS_SCORE: 5.1