Description

Your web application is running with GraphQL Introspection Query enabled in a production environment.

GraphQL Introspection Query is a feature built into the GraphQL specification that allows clients to query the schema of a GraphQL server. By executing an introspection query, a client can retrieve detailed information about the types, fields, arguments, and other schema elements supported by the server. This information is useful for generating documentation, building client-side tools, or dynamically exploring the API's structure.

Introspection queries enable developers to understand the available queries, mutations, and data types within a GraphQL API, facilitating seamless interaction between clients and the API. However, in a production environment, exposing this information may pose a security risk, as attackers could use the obtained schema details to craft targeted attacks, exploit other vulnerabilities, or gain unauthorized access to protected resources. Therefore, it's essential to disable or restrict access to introspection queries in production environments to prevent unauthorized access and information leakage.

Remediation

Disable Introspection Query: Ensure that the GraphQL Introspection Query is disabled or restricted in production environments. Keep it enabled only in development or staging environments where access is limited to authorized personnel.

References

Related Vulnerabilities