id: apollo-server-detect

info:
  name: Apollo Server GraphQL Introspection - Detect
  author: idealphase
  severity: info
  description: Apollo Server GraphQL introspection was detected.
  reference:
    - https://github.com/apollographql/apollo-server
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N
    cvss-score: 0
    cwe-id: CWE-200
  metadata:
    max-request: 1
  tags: apollo,detect,graphql,tech

http:
  - method: POST
    path:
      - "{{BaseURL}}/graphql"

    headers:
      Content-Type: application/json

    body: |
      {"query":"query IntrospectionQuery{__schema{queryType{name}mutationType{name}subscriptionType{name}types{...FullType}directives{name description locations args{...InputValue}}}}fragment FullType on __Type{kind name description fields(includeDeprecated:true){name description args{...InputValue}type{...TypeRef}isDeprecated deprecationReason}inputFields{...InputValue}interfaces{...TypeRef}enumValues(includeDeprecated:true){name description isDeprecated deprecationReason}possibleTypes{...TypeRef}}fragment InputValue on __InputValue{name description type{...TypeRef}defaultValue}fragment TypeRef on __Type{kind name ofType{kind name ofType{kind name ofType{kind name ofType{kind name ofType{kind name ofType{kind name ofType{kind name}}}}}}}}"}

    matchers-condition: and
    matchers:
      - type: word
        part: header
        words:
          - "Content-Type: application/json"

      - type: word
        part: body
        words:
          - "GraphQL introspection is not allowed by Apollo Server"

      - type: status
        status:
          - 400
# digest: 490a004630440220187cc51e2c04b11fb8c3f9028abc766355c9977ffa8c86390600f723af07ac4a02202d0fbcdb2de14e492466ce9c0fa6c60e862328a21b84af4992930ce4ee7aa4d9:922c64590222798bb761d5b6d8e72950