概要
GraphQL introspection is the spec's most developer-friendly feature and one of its most defender-unfriendly defaults. Send a query asking the server to describe itself, and a fully-introspected GraphQL endpoint dutifully returns every type, every field name and type, every argument, and (in many configs) every directive comment. It's how GraphiQL, Apollo Sandbox, and every modern GraphQL client tool work. It's also how attackers map your API in seconds. Apollo Server 4 disables introspection by default in production, but plenty of older deployments and self-rolled GraphQL servers still ship with it on, and the line between 'we want devs to use the explorer' and 'we exposed the entire data model to the internet' is one configuration flag.
運作方式
A `__schema` query — `{ __schema { types { name fields { name type { name } } } } }` — returns the complete type system. From that single response, the attacker reconstructs every query, mutation, subscription, the arguments each takes, and the relationships between types. Tools like graphql-voyager render the result as an interactive map. Combined with permissive resolvers (no per-query authorization), introspection is the input that makes targeted enumeration trivial. Even with strict authorization, knowing internal types like `_AdminInternal` or fields like `mfaSecret` is information the attacker shouldn't have.
影响范围
Recon impact dominates — knowing the schema converts blind probing into surgical queries. Combined with authorization bugs (resolver-level IDOR, missing field-level auth), introspection is the recipe for efficient mass data extraction. Schema disclosure also reveals product roadmap details (unreleased fields and types) and internal naming conventions that may inform social engineering.
// what fixvibe checks
What FixVibe checks
FixVibe maps externally visible application surfaces with passive signals and safe metadata checks. Reports summarize the exposed surface and remediation priorities. For check-specific questions about exact detection heuristics, active payload details, or source-code rule patterns, contact support@fixvibe.app.
铁壁防御
Disable introspection in production. Apollo Server 4: `introspection: false` in config (already the default for production builds). Yoga: `useDisableIntrospection` plugin. Hot Chocolate (.NET): `.AddIntrospection(false)`. Hasura: set `HASURA_GRAPHQL_ENABLE_TELEMETRY=false` plus the per-role schema introspection toggle. Don't rely on rate-limiting introspection — one query is enough. For developer access, host a documentation site that's authenticated separately, or use schema diffing in CI to detect changes without exposing the full schema at runtime. As a defense-in-depth layer, also disable field-suggestion responses (most servers offer a flag for 'Did you mean X?' messages) since those leak schema details even when introspection is off.