id: graphql-field-suggestion

info:
  name: GraphQL Field Suggestion Information Disclosure
  author: Dolev Farhi
  severity: info
  description: |
    If introspection is disabled on your target, Field Suggestion can allow users to still earn information on the GraphQL schema.
    By default, GraphQL backends have a feature for fields and operations suggestions.
    If you try to query a field but you have made a typo, GraphQL will attempt to suggest fields that are similar to the initial attempt.
  reference:
    - https://github.com/webonyx/graphql-php/issues/454
    - https://github.com/dolevf/Damn-Vulnerable-GraphQL-Application
    - https://cheatsheetseries.owasp.org/cheatsheets/GraphQL_Cheat_Sheet.html
    - https://graphql.security
  tags: graphql

requests:
  - raw:
      - |
        POST /graphql HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/json

        {"query":"query {\n  __schema {\n directive\n }\n}","variables":null}

      - |
        POST /api/graphql HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/json

        {"query":"query {\n  __schema {\n directive\n }\n}","variables":null}

    stop-at-first-match: true
    matchers-condition: and
    matchers:
      - type: word
        part: body
        words:
          - "Did you mean"

      - type: word
        part: header
        words:
          - "application/json"