http/misconfiguration: add GraphiQL exposure template#15615
Conversation
Neo - Nuclei Template ReviewMedium: 2 Highlights
Medium (2)
Suggested FixesRemoved Content-Type Check Reduces Detection Accuracy ( Removed text/html Content-Type Check Increases False Positive Risk ( 🤖 Prompt for AI AgentsVerify each finding against the current code and only fix it if needed. In Verify each finding against the current code and only fix it if needed. In This ensures the template only matches HTML responses, preventing false Hardening Notes
Comment |
![neo-by-projectdiscovery-dev[bot]](https://avatars.githubusercontent.com/in/2878468?s=60&v=4){kind=small}
| - "/graphiql.css" | ||
| condition: or | ||
|
|
||
| - type: status |
There was a problem hiding this comment.
🟡 Removed Content-Type Check Reduces Detection Accuracy — The previous approved version (ffaefae) included a text/html content-type check to ensure only HTML responses match. This commit removes that check, which could cause false positives on JSON error responses or documentation that mention GraphiQL patterns.
Suggested Fix
Re-add the text/html content-type matcher that was present in the approved version (lines 40-43 of graphql-graphiql-exposure.yaml at commit ffaefae). This ensures only HTML pages are matched, consistent with graphql-playground.yaml which also checks for text/html.
🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed.
In `@http/misconfiguration/graphql/graphiql-exposure.yaml` after line 39 (after
the body word matcher), re-add the content-type check that was removed: add a
word matcher for part: header, words: ['text/html'] to ensure only HTML
responses trigger detection and avoid false positives on JSON/text responses
mentioning GraphiQL.
| stop-at-first-match: true | ||
|
|
||
| matchers-condition: and | ||
| matchers: |
There was a problem hiding this comment.
🟡 Removed text/html Content-Type Check Increases False Positive Risk — The approved version (commit ffaefae) included a content-type matcher checking for 'text/html' in the response headers (lines 40-43 of the old file). This critical matcher was removed in the current commit. Without this check, the template will match non-HTML responses such as JSON error messages, application logs, or API responses that happen to contain GraphiQL-related strings.
Suggested Fix
Restore the content-type matcher that was present in the approved commit ffaefae:
- type: word
part: header
words:
- "text/html"
This should be added between the body word matcher and the status matcher to ensure only HTML responses are matched.
🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed.
In `@http/misconfiguration/graphql/graphiql-exposure.yaml` at line 31 (matchers
section), add back the content-type check that was removed from the approved
version. After the body word matcher (lines 32-39) and before the status matcher
(lines 41-43), insert a new word matcher:
- type: word
part: header
words:
- "text/html"
This ensures the template only matches HTML responses, preventing false
positives on JSON errors, logs, or other non-HTML content containing GraphiQL
strings.
Updated the description and increased max-request limit.
3 participants
Fixes #15614
PR Information
Template validation
Additional Details (leave it blank if not applicable)
http/misconfiguration/graphql/graphql-graphiql-exposure.yamlnuclei -validate -t http/misconfiguration/graphql/graphql-graphiql-exposure.yamlhttp/technologies/graphiql-detect.yamltext/htmlcontentgraphiql.createFetcherGraphiQLid="graphiql"id='graphiql'Additional References: