Findings

Introspection is enabled

Updated: June 19, 2025

findings action based findings api finding

Description

Severity: High

The GraphQL endpoint is configured to allow introspection queries.

This enables clients to explore the API's schema, including its types, fields, and relationships.

While this is useful during development, it poses a security risk in production environments as it exposes sensitive schema details to potential attackers.

Example Attack

An attacker sends an introspection query to the production GraphQL API to retrieve the full schema. By analyzing the schema, the attacker can identify sensitive fields, types, and queries they might not have known about otherwise. This information can be used to craft targeted attacks, such as accessing unauthorized data or exploiting weaknesses in the API.

Remediation

Ensure that the GraphQL API does not allow introspection.

Need help?

Contact FireTail support

Previous (Findings - Action based findings)
GraphQL server error
Next (Findings - Action based findings)
Introspection-based Circular Query