Expected Findings
- Anonymous callers can enumerate schema-like fields.
- Sensitive employee fields are exposed through over-fetching.
Single Endpoint API
GraphQL API
The embedded explorer fires an anonymous introspection-style request on load and shows how easy it is to over-fetch sensitive fields.
Explorer
Primary Flows
- GraphQL endpoint POST any query body
Signals
Introspection
{ __schema { types { name fields { name } } } }