Field suggestion

Description

If introspection is disabled on your target, Field Suggestion still allows users to infer the entire schema, with a tool like Clairvoyance. If you query a field with a typo, GraphQL will attempt to suggest fields close to what was requested. Example: Error: Cannot query field "createSesion" on type "RootMutation". Did you mean "createSession", "createUser", "createFile", or "createImage"?

Remediation

Disable Field Suggestion in production.

GraphQL Specific

Apollo

To address issues with the Apollo framework engine, ensure that you are using the latest stable version. Update your dependencies and check for any deprecated features that may need refactoring. Additionally, review the Apollo documentation for best practices on schema design, query optimization, and error handling to improve the performance and reliability of your GraphQL API.

Yoga

To address issues within the Yoga framework engine, ensure that you are using the latest stable version of the framework. Regularly update your dependencies to incorporate security patches and bug fixes. Additionally, follow best practices for error handling and input validation to prevent common vulnerabilities. If you encounter specific problems, consult the Yoga framework documentation or seek support from the community forums.

Awsappsync

To ensure the security and performance of your AWS AppSync GraphQL APIs, it is recommended to use parameterized queries to prevent injection attacks and to optimize query execution. Additionally, enable caching for frequently accessed data, monitor and set alarms for unusual patterns or error rates using Amazon CloudWatch, and manage data access by implementing fine-grained access control with AWS Identity and Access Management (IAM) roles and Amazon Cognito for authentication and authorization purposes.

Graphqlgo

To mitigate potential security risks in your GraphQL Go framework engine, ensure that all queries are properly validated and sanitized to prevent injection attacks. Use middleware for authentication and authorization to control access to sensitive data. Regularly update dependencies to incorporate security patches. Additionally, consider implementing rate limiting to protect against denial-of-service attacks.

Graphqlruby

Ensure that proper input validation is implemented to prevent GraphQL injection attacks. Use the built-in mechanisms for argument validation provided by the GraphQL Ruby framework. Additionally, consider implementing rate limiting and complexity analysis on queries to mitigate potential abuse.

Hasura

To ensure secure and efficient data handling with the Hasura framework engine, it is recommended to use parameterized queries to prevent SQL injection attacks. Additionally, regularly update the Hasura engine to the latest version to benefit from security patches and performance improvements. Implement role-based access control to restrict data access and operations according to user roles. Monitor the engine's performance and logs to detect and address any issues promptly. Lastly, consider using environment variables for sensitive information instead of hardcoding them into your application.

Configuration

Identifier: information_disclosure/graphql_field_suggestion

Examples

Ignore this check

checks:
  information_disclosure/graphql_field_suggestion:
    skip: true

Score

• Escape Severity: MEDIUM

Compliance

• OWASP: API7:2023

• pci: 6.5.10

• gdpr: Article-32

• soc2: CC6

• psd2: Article-95

• iso27001: A.12.6

• nist: SP800-53

• fedramp: AC-6

Classification

• CWE: 200

Score

• CVSS_VECTOR: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:H/RL:O/RC:C
• CVSS_SCORE: 5.1

References

• https://blog.yeswehack.com/yeswerhackers/how-exploit-graphql-endpoint-bug-bounty/