Identified a GraphQL endpoint in the application. GraphQL provides a flexible query interface that allows clients to request exactly the data they need. While powerful, improper configuration or lack of security controls can expose sensitive data or enable abuse scenarios such as introspection attacks, excessive data retrieval, or query complexity exploitation.

The endpoint responds to GraphQL queries and/or supports introspection.

Impacts:

• Exposure of sensitive schema information via introspection queries
• Over-fetching or under-fetching of sensitive data
• Denial of Service (DoS) through expensive or deeply nested queries
• Bypassing of traditional REST-based access controls
• Enumeration of internal data models and relationships

Recommendation:

• Disable GraphQL introspection in production environments if not required
• Implement query depth limiting and complexity analysis
• Enforce authentication and authorization at resolver level
• Restrict access to sensitive fields explicitly
• Enable rate limiting on GraphQL endpoints
• Monitor and log GraphQL query patterns for abuse detection

• GraphQL introspection
• GraphQL Cheat Sheet