id: apollo-server-detect

info:
  name: Apollo Server GraphQL Introspection - Detect
  author: idealphase
  severity: info
  description: Apollo Server GraphQL introspection was detected.
  reference:
    - https://github.com/apollographql/apollo-server
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N
    cvss-score: 0
    cwe-id: CWE-200
  metadata:
    max-request: 1
  tags: apollo,detect,graphql,tech

http:
  - method: POST
    path:
      - "{{BaseURL}}/graphql"

    headers:
      Content-Type: application/json

    body: |
      {"query":"query IntrospectionQuery{__schema{queryType{name}mutationType{name}subscriptionType{name}types{...FullType}directives{name description locations args{...InputValue}}}}fragment FullType on __Type{kind name description fields(includeDeprecated:true){name description args{...InputValue}type{...TypeRef}isDeprecated deprecationReason}inputFields{...InputValue}interfaces{...TypeRef}enumValues(includeDeprecated:true){name description isDeprecated deprecationReason}possibleTypes{...TypeRef}}fragment InputValue on __InputValue{name description type{...TypeRef}defaultValue}fragment TypeRef on __Type{kind name ofType{kind name ofType{kind name ofType{kind name ofType{kind name ofType{kind name ofType{kind name ofType{kind name}}}}}}}}"}

    matchers-condition: and
    matchers:
      - type: word
        part: header
        words:
          - "Content-Type: application/json"

      - type: word
        part: body
        words:
          - "GraphQL introspection is not allowed by Apollo Server"

      - type: status
        status:
          - 400

# digest: 490a00463044022035669286bd6919facd4a99eb2f288be4d31424743ff24e9fc5e3ce56d57f7ff40220100432a0f3f878309671a8d5b355e994a9a0c00e0f297c3c3a730f99b36d874a:922c64590222798bb761d5b6d8e72950