Findings

Field Suggestions

Updated: June 19, 2025

findings action based findings api finding

Description

Severity: Low

The GraphQL endpoint has field suggestions enabled.

This provides clients with hints or suggestions for field names when an incorrect or invalid field is queried. While this feature enhances usability for developers during debugging, it can unintentionally expose information about the API's schema to malicious actors, increasing the risk of reconnaissance and targeted attacks.

Example Attack

An attacker sends a GET request with a mutation query embedded in the URL, such as deleting a user or updating account details. If the server allows mutations via GET, the attacker can execute this mutation without the need for additional authentication or protection, potentially leading to unauthorized data modification.

Remediation

Ensure that the GraphQL API does not have field suggestions enabled.

Need help?

Contact FireTail support

Previous (Findings - Action based findings)
Field Duplication
Next (Findings - Action based findings)
Get Method Query Support