GraphQL introspection is a feature that allows client applications to query the schema of a GraphQL API at runtime. It provides a way for
developers to explore and understand the available data and operations supported by the API.
This feature is a diagnostic tool that should only be used in the development phase as its presence also creates risks.
Clear documentation and API references should be considered better discoverability tools for a public GraphQL API.
What is the potential impact?
An attacker can use introspection to identify all of the operations and data types supported by the server. This information can then be used to
identify potential targets for attacks.
Exploitation of private APIs
Even when a GraphQL API server is open to access by third-party applications, it may contain APIs that are intended only for private use.
Introspection allows these private APIs to be discovered.
Private APIs often do not receive the same level of security rigor as public APIs. For example, they may skip input validation because the API is
only expected to be called from trusted applications. This can create avenues for attack that are not present on public APIs.
Exposure of sensitive data
GraphQL allows for multiple related objects to be retrieved using a single API call. This provides an efficient method of obtaining data for use in
a client application.
An attacker may be able to use these relationships between objects to traverse the data structure. They may be able to find a link to sensitive
data that the developer did not intentionally make available.
