# GraphQL Introspection Vulnerability

{% hint style="danger" %}
**At a Glance**:  **GraphQL Introspection** allows clients to query the schema of a GraphQL API, revealing types, fields, queries, and mutations available on the backend. While this feature is beneficial during development, leaving introspection enabled in production can expose sensitive information to attackers. They can use this information to map out your API, discover hidden functionalities, deprecated fields, or potential weaknesses to exploit. To mitigate this risk, disable introspection in production or restrict it to authenticated and authorized users.
{% endhint %}

***

## Introduction

GraphQL Introspection is a powerful feature that enables clients to explore and understand the schema of a GraphQL API dynamically. By making special introspection queries, clients can retrieve detailed information about types, fields, arguments, and relationships within the API.  Although this feature is highly beneficial during development, leaving introspection enabled in production environments accessible to untrusted users can introduce significant security risks. Attackers can leverage introspection to gain deep insights into your API's structure, uncovering sensitive data or functionalities intended to be private or internal. This information can be used to craft targeted attacks, exploit vulnerabilities, or perform unauthorized operations.

## What are the common mistakes made by developers?

1. **Leaving Introspection Enabled in Production**: Developers often forget to disable introspection in production environments, allowing anyone to query the schema and discover sensitive details.
2. **Lack of Authentication and Authorization**: Allowing unauthenticated or unauthorized users to perform introspection queries exposes your API schema to potential malicious actors.

## How can I fix GraphQL Introspection issues?

Disable Introspection in Production

C**onfigure Your Server**:  Adjust your GraphQL server settings to disable introspection queries in production environments. Most GraphQL server implementations provide options to toggle this feature based on the environment.

#### Restrict Access to Introspection

**Implement Access Controls**: If disabling introspection entirely isn't feasible, restrict it to authenticated and authorized users. 

* ## Test cases in this category

This test case detect if GraphQL introspection is enabled:

<table><thead><tr><th>Test case</th><th width="251.33333333333331">OWASP</th><th>CWE</th><th data-hidden></th></tr></thead><tbody><tr><td>[GQL001] GraphQL introspection</td><td><a href="https://owasp.org/API-Security/editions/2023/en/0xa8-security-misconfiguration/">API8 OWASP API Top 10</a></td><td><a href="https://cwe.mitre.org/data/definitions/200.html">CWE-200</a></td><td></td></tr></tbody></table>