Information Disclosure :: GraphQL Introspection


Problem Statement

GraphQL Introspection is a special query that uses the __schema field to interrogate GraphQL for its schema.

Introspection in itself is not a weakness, but a feature. However, if it is made available, it can be used and abused by attackers seeking information about your GraphQL implementation, such as what queries or mutations exist.

It is recommended to disable introspection in production to avoid data leakages.

Note: If introspection query is disabled, attackers may fall back to using the Field Suggestion feature to understand what queries and fields are supported by your GraphQL. Refer to Information Disclosure :: GraphQL Field Suggestionsattack for more information.

Resources
Exploitation Solution