This vulnerability exposes information about all the APIs available on a GraphQL API server. This information can be used to discover weaknesses in the API that can be exploited.
GraphQL introspection is a feature that allows client applications to query the schema of a GraphQL API at runtime. It provides a way for developers to explore and understand the available data and operations supported by the API.
This feature is a diagnostic tool that should only be used in the development phase as its presence also creates risks.
Clear documentation and API references should be considered better discoverability tools for a public GraphQL API.
An attacker can use introspection to identify all of the operations and data types supported by the server. This information can then be used to identify potential targets for attacks.
Even when a GraphQL API server is open to access by third-party applications, it may contain APIs that are intended only for private use. Introspection allows these private APIs to be discovered.
Private APIs often do not receive the same level of security rigor as public APIs. For example, they may skip input validation because the API is only expected to be called from trusted applications. This can create avenues for attack that are not present on public APIs.
GraphQL allows for multiple related objects to be retrieved using a single API call. This provides an efficient method of obtaining data for use in a client application.
An attacker may be able to use these relationships between objects to traverse the data structure. They may be able to find a link to sensitive data that the developer did not intentionally make available.
from graphql_server.flask import GraphQLView
app.add_url_rule("/api",
view_func=GraphQLView.as_view( # Noncompliant
name="api",
schema=schema,
)
)
Make sure that introspection is disabled in production environments. You can use the following code sample as a reference, in conjunction with your own methods for distinguishing between production and non-production environments.
from graphql_server.flask import GraphQLView
# Only one of the following needs to be used
from graphql.validation import NoSchemaIntrospectionCustomRule # graphql-core v3
from graphene.validation import DisableIntrospection # graphene v3
app.add_url_rule("/api",
view_func=GraphQLView.as_view(
name="api",
schema=schema,
validation_rules=[
NoSchemaIntrospectionCustomRule,
DisableIntrospection,
]
)
)
The GraphQL server framework should be instructed to disable introspection in production environments. This prevents any attacker attempt to retrieve schema information from the server at runtime.
Each GraphQL framework will have a different method of doing this, possibly including:
If introspection is required, it should only be made available to the smallest possible audience. This could include development environments, users with a specific right, or requests from a specific set of IP addresses.