Typing misconfiguration
Description
Look for typing misconfigurations by checking if a mutation parameter with the wrong parameter type succeeds.
Remediation
Do not resolve queries with a wrong argument type.
GraphQL Specific
Apollo
Apollo doesn't allow arguments of the wrong type by default.
Example:
{
"errors": [
{
"message": "String cannot represent a non string value: 123",
"extensions": {
"code": "GRAPHQL_VALIDATION_FAILED"
}
}
]
}
This error should appear if you are using Apollo.
Awsappsync
AWS AppSync doesn't allow arguments of the wrong type by default.
Example:
{
"data": null,
"errors": [
{
"path": null,
"locations": [
{
"line": 1,
"column": 18,
"sourceName": null
}
],
"message": "Validation error of type WrongType: argument 'a' with value 'StringValue{value='4'}' is not a valid 'Int' @ 'testType'"
}
]
}
Configuration
Identifier:
schema/typing_misconfiguration
Options
- skip_objects : List of object that are to be skipped by the security test.
Examples
Ignore this check
{
"checks": {
"schema/typing_misconfiguration": {
"skip": true
}
}
}
Score
- Escape Severity: MEDIUM
- OWASP: API10:2023
- PCI DSS: 6.5.8
- CWE
- 20
- 351
- 1068
- 1287
- WASC: WASC-40
CVSS
- CVSS_VECTOR: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N/RL:O/RC:C
- CVSS_SCORE: 0.0