Graphql Development Console Exposed
Exposed GraphQL development console allows type introspection, increasing the risk of security vulnerabilities and unauthorized access
Security Misconfiguration (SM)
How this template works
APIs Selection
- The template uses a regular expression filter to match URLs that contain the word "graphql". - This filter ensures that only APIs with GraphQL endpoints are selected for further processing.
Execute request
- The template specifies a single request to be executed. - The request modifies the URL by replacing any occurrence of "graphql" with "graphiql". - This modification is done to check if the GraphQL development console is exposed at the modified URL.
Validation
- The validation step checks the response payload for the presence of specific strings related to GraphQL development consoles. - If the response contains any of the specified strings ("GraphiQL", "GraphQL Playground", "GraphQL Console", "graphql-playground"), the validation is considered successful. That's it! The template filters APIs based on the URL, executes a modified request, and validates the response to determine if a GraphQL development console is exposed.
Frequently asked questions
What is the purpose of the "GraphQL Development Console Exposed" vulnerability test
How does type introspection in GraphQL contribute to the vulnerability
What are the potential impacts of the "GraphQL Development Console Exposed" vulnerability
How can the "GraphQL Development Console Exposed" vulnerability be mitigated
What are some recommended resources for understanding and addressing GraphQL vulnerabilities
How does the "GraphQL Development Console Exposed" vulnerability relate to industry standards and best practices
"The text editor in Akto is absolutely remarkable. Its user-friendly YAML format strikes the perfect balance between simplicity and power. With intuitive features like 'API selection filter', 'Execute', Validate' creating test rules becomes incredibly easy. Akto's test editor is a game-changer, enabling seamless creation of highly personalized and effective tests that could meet the needs of any modern day organization. "
Security team,
Rippling
Explore other tests
eSMTP - Config Discovery
Nginx - Git Configuration Exposure
Laravel - Sensitive Information Disclosure
Docker Container - Misconfiguration Exposure
Msmtp - Config Exposure
Parameters.yml - File Discovery
Mongo Express - Unauthenticated Access
Apache Airflow Configuration Exposure
Dockerrun AWS Configuration Exposure
Apache Config file disclosure
Appspec Yml Disclosure
CGI script environment variable
