GraphQL introspection enabled

Description: GraphQL introspection enabled

Introspection uses built-in queries to return information on a GraphQL schema itself. Like regular GraphQL queries, introspection queries are highly customizable, enabling users to specify the content and data shape of the response.

GraphQL introspection can represent a significant security risk when enabled in production, as it enables attackers to see what operations are available to them within the API, as well as other potentially sensitive information such as type descriptions and private fields.

Remediation: GraphQL introspection enabled

Ensure that you have disabled introspection on your GraphQL server. Consult your server documentation if you are unsure how to do this.

References

Vulnerability classifications

CWE-200: Information Exposure

Typical severity

Low

Type index (hex)

0x00200512

Type index (decimal)

2098450

Burp Scanner

This issue - and many more like it - can be found using our web vulnerability scanner

Get Burp

Scan your web application from just $449.00

Find out more

How do I?	New Post	View All
Feature Requests	New Post	View All
Burp Extensions	New Post	View All
Bug Reports	New Post	View All