GraphQL Introspection

GraphQL Introspection is a built-in feature that allows clients to query the schema itself, revealing all types, fields, queries, mutations, and their arguments. While useful for development, exposed introspection in production can aid attackers in reconnaissance.

Introspection Query

query IntrospectionQuery {
  __schema {
    queryType { name }
    mutationType { name }
    types {
      name
      fields {
        name
        args {
          name
          type { name }
        }
        type { name }
      }
    }
  }
}

What Attackers Learn

# Example introspection response reveals:
{
  "data": {
    "__schema": {
      "types": [
        {
          "name": "User",
          "fields": [
            {"name": "id"},
            {"name": "email"},
            {"name": "password"},        # Sensitive!
            {"name": "isAdmin"},          # Auth field
            {"name": "internalNotes"}     # Private data
          ]
        },
        {
          "name": "Mutation",
          "fields": [
            {"name": "deleteUser"},       # Admin function
            {"name": "updatePermissions"} # Privilege escalation
          ]
        }
      ]
    }
  }
}

Security Implications

• Complete API schema exposure
• Discovery of sensitive fields and mutations
• Understanding of data relationships
• Identification of potential attack vectors

Recommendations

• Disable introspection in production
• Use allowlisting for permitted queries
• Implement persisted queries
• Monitor for introspection query attempts

See Also

• GraphQL Injection
• GraphQL Batching Attack
• API Key Exposure