HIGH graphql introspectionfiber

Graphql Introspection in Fiber

Scan for graphql introspection in fiber

How Graphql Introspection Manifests in Fiber

GraphQL introspection is a powerful feature that allows clients to query the schema of a GraphQL API, but when left exposed in production, it becomes a significant security risk. In Fiber applications, this vulnerability manifests through the default GraphQL configuration that enables introspection without proper controls.

The most common manifestation occurs when developers use the fiber-graphql middleware without disabling introspection in production environments. By default, the introspection query is enabled, allowing any unauthenticated user to retrieve the complete schema definition. This includes all object types, mutations, queries, and even internal fields that should remain hidden from external consumers.

In Fiber applications, introspection typically appears through the following patterns:

router := fiber.New()

gql := fibergraphql.New(
    fibergraphql.Config{
        Schema: &schema,
        // Introspection is enabled by default
    },
)

router.Use("/graphql", gql)

Attackers exploit this by sending the standard introspection query:

{
  __schema {
    types {
      name
      fields {
        name
        type { name }
      }
    }
  }
}

This returns the entire schema structure, revealing:

  • All available queries and mutations
  • Input object structures and required fields
  • Enum values and possible options
  • Internal types that shouldn't be exposed
  • Field arguments and their validation rules

Once attackers have the schema, they can craft targeted attacks against specific mutations or queries, understand the data model completely, and identify potential injection points or authorization bypasses. In Fiber applications, this is particularly dangerous because the schema often contains business logic details that shouldn't be public knowledge.

Fiber-Specific Detection

Detecting GraphQL introspection vulnerabilities in Fiber applications requires both manual testing and automated scanning. The most straightforward detection method is sending an introspection query to your GraphQL endpoint and observing the response.

Manual detection in Fiber:

curl -X POST http://your-fiber-app/graphql \
  -H "Content-Type: application/json" \
  -d '{"query": "{__schema{types{name}}}"}

If you receive a detailed schema response, introspection is enabled. For more comprehensive detection, you can use middleBrick's automated scanning capabilities, which specifically test for GraphQL introspection vulnerabilities.

middleBrick's GraphQL introspection detection includes:

  • Automated introspection query execution against GraphQL endpoints
  • Schema analysis to identify exposed types and fields
  • Detection of deprecated fields that might indicate legacy or risky functionality
  • Analysis of mutation patterns that could indicate data exposure risks

The scanner tests against common GraphQL introspection patterns and provides a risk score based on the completeness of the exposed schema. For Fiber applications specifically, middleBrick can identify when the fiber-graphql middleware is configured without proper introspection controls.

Additional detection methods for Fiber applications:

// Check your GraphQL middleware configuration
if middleware.Config.Introspection == nil || *middleware.Config.Introspection {
    fmt.Println("Introspection is enabled")
}

You can also inspect the Fiber application's GraphQL middleware setup to verify whether introspection is properly configured for production environments.

Fiber-Specific Remediation

Remediating GraphQL introspection vulnerabilities in Fiber applications requires a multi-layered approach. The primary solution is to disable introspection in production while maintaining it for development and testing environments.

Environment-based configuration in Fiber:

router := fiber.New()

// Enable introspection only in development
gql := fibergraphql.New(
    fibergraphql.Config{
        Schema: &schema,
        Introspection: util.GetEnv("GO_ENV", "development") == "development",
    },
)

router.Use("/graphql", gql)

For more granular control, you can implement custom middleware that checks authentication and environment before allowing introspection queries:

func graphqlHandler(schema *graphql.Schema) fiber.Handler {
    return func(c *fiber.Ctx) error {
        // Check if request is an introspection query
        if isIntrospectionQuery(c) {
            // Only allow if authenticated and in dev
            if c.Locals("user") == nil || os.Getenv("GO_ENV") != "development" {
                return c.Status(fiber.StatusForbidden).JSON(fiber.Map{
                    "error": "Introspection disabled",
                })
            }
        }
        
        return fibergraphql.Do(c, schema)
    }
}

func isIntrospectionQuery(c *fiber.Ctx) bool {
    var req map[string]interface{}
    if err := c.BodyParser(&req); err != nil {
        return false
    }
    
    query, ok := req["query"].(string)
    if !ok {
        return false
    }
    
    return strings.Contains(strings.ToLower(query), "__schema") || 
           strings.Contains(strings.ToLower(query), "__type")
}

Another effective approach is implementing schema whitelisting for production:

func filteredSchema(schema *graphql.Schema) *graphql.Schema {
    return graphql.NewSchema(graphql.SchemaConfig{
        Query:    filteredQueryType(schema.Query),
        Mutation: filteredMutationType(schema.Mutation),
        // Other types filtered similarly
    })
}

func filteredQueryType(original graphql.Type) graphql.Type {
    // Create a new object type that only exposes safe fields
    return graphql.NewObject(graphql.ObjectConfig{
        Name:        "Query",
        Fields:      filterFields(original, safeFields),
    })
}

For Fiber applications using the fiber-graphql package, you can also leverage its built-in configuration options:

gql := fibergraphql.New(
    fibergraphql.Config{
        Schema: &schema,
        Introspection: false, // Disable in all environments
        // Alternative: use environment variable
        // Introspection: os.Getenv("ENABLE_INTROSPECTION") == "true",
    },
)

Testing your remediation is crucial. After implementing changes, use middleBrick to verify that introspection is properly disabled and that your GraphQL endpoint maintains full functionality for legitimate clients.

Related CWEs: dataExposure

CWE IDNameSeverity
CWE-200Exposure of Sensitive Information HIGH
CWE-209Error Information Disclosure MEDIUM
CWE-213Exposure of Sensitive Information Due to Incompatible Policies HIGH
CWE-215Insertion of Sensitive Information Into Debugging Code MEDIUM
CWE-312Cleartext Storage of Sensitive Information HIGH
CWE-359Exposure of Private Personal Information (PII) HIGH
CWE-522Insufficiently Protected Credentials CRITICAL
CWE-532Insertion of Sensitive Information into Log File MEDIUM
CWE-538Insertion of Sensitive Information into Externally-Accessible File HIGH
CWE-540Inclusion of Sensitive Information in Source Code HIGH
Scan for graphql introspection in fiber Free API security scan

Frequently Asked Questions

How can I test if my Fiber GraphQL endpoint has introspection enabled?
Send a simple introspection query using curl or a GraphQL client. If you receive a detailed schema response without authentication, introspection is enabled. You can also use middleBrick's automated scanning to test for this vulnerability specifically.
Will disabling introspection break my GraphQL client applications?
No, disabling introspection only affects schema discovery capabilities. Your existing clients that know the schema will continue to work normally. If you need schema documentation for developers, use tools like GraphQL Playground or Apollo Studio instead of exposing introspection in production.

Related Pages

Graphql Introspection in Fiber on AwsGraphQL introspection in Fiber on AWS: how it exposes schema risks and how to disable it with concrete code examples.Graphql Introspection in Fiber on AzureSecure GraphQL introspection in Fiber on Azure with code examples, environment controls, and CI/CD checks.Graphql Introspection in Fiber on DockerUnderstand GraphQL introspection risks in Fiber when deployed in Docker, and apply concrete code fixes to disable it secGraphql Introspection in Fiber on DigitaloceanLearn how GraphQL introspection in Fiber on Digitalocean creates exposure and how to remediate with code examples and miOwasp Api Top 10: Graphql Introspection in FiberUnderstand how GraphQL introspection interacts with OWASP API Top 10 in Fiber, and apply concrete Fiber code fixes to reHipaa: Graphql Introspection in FiberHIPAA considerations for GraphQL introspection in Fiber apps, with Fiber code examples to disable or guard introspectionGdpr: Graphql Introspection in FiberGDPR risks in GraphQL introspection with Fiber, remediation patterns, and code examples to control schema exposure.Nist: Graphql Introspection in FiberExplore NIST considerations for GraphQL introspection with Fiber, including real remediation examples and how middleBricGraphql Introspection in Fiber with Jwt TokensExplore GraphQL introspection risks in Fiber with JWT tokens, including vulnerability patterns and JWT-specific remediatGraphql Introspection in Fiber with Api KeysExplore GraphQL introspection risks in Fiber with API keys, and apply concrete remediation patterns with code examples.Graphql Introspection in Fiber with Hmac SignaturesSecuring GraphQL introspection with Hmac Signatures in Fiber: risks and remediation code examplesGraphql Introspection in Fiber with Basic AuthLearn how GraphQL introspection and Basic Auth interact in Fiber, and apply concrete code fixes to secure your endpoints