id: graphql-field-suggestion info: name: GraphQL Field Suggestion Information Disclosure author: Dolev Farhi severity: info description: | If introspection is disabled on your target, Field Suggestion can allow users to still earn information on the GraphQL schema. By default, GraphQL backends have a feature for fields and operations suggestions. If you try to query a field but you have made a typo, GraphQL will attempt to suggest fields that are similar to the initial attempt. reference: - https://github.com/webonyx/graphql-php/issues/454 - https://github.com/dolevf/Damn-Vulnerable-GraphQL-Application - https://cheatsheetseries.owasp.org/cheatsheets/GraphQL_Cheat_Sheet.html - https://graphql.security tags: graphql requests: - raw: - | POST /graphql HTTP/1.1 Host: {{Hostname}} Content-Type: application/json {"query":"query {\n __schema {\n directive\n }\n}","variables":null} - | POST /api/graphql HTTP/1.1 Host: {{Hostname}} Content-Type: application/json {"query":"query {\n __schema {\n directive\n }\n}","variables":null} stop-at-first-match: true matchers-condition: and matchers: - type: word part: body words: - "Did you mean" - type: word part: header words: - "application/json"