<![CDATA[Graph Query Language (GraphQL) is a query language designed to manage interactions between clients and Application Programming Interfaces (APIs). GraphQL was created to facilitate data exchange between the backend and frontend, providing a clear and easily understandable data description. As GraphQL continues to gain popularity, the need for best security practices and tools to test and protect GraphQL APIs will become increasingly important. Like other technologies, GraphQL also has some weaknesses; one of them is its introspection feature, which can reveal sensitive information that should not be exposed. Therefore, this research aims to identify information disclosure vulnerabilities in GraphQL APIs and to find the most effective time between two security modes implemented: before and after hardening. Two methods and two tools are used to implement this, namely Introspection with InQL and Field Suggestion with Clairvoyance. This research is visually represented through an Attack Tree to provide a comprehensive overview of exploitation paths and potential attacks. After implementation, the results showed that the most successful and efficient exploitation method for information disclosure vulnerability before hardening was the Field Suggestion Method, with a total time of 7.94 seconds. The most efficient time before and after hardening turned out to be the same, with the Field Suggestion Method taking a total of 8.99 seconds after hardening. Thus, based on this time comparison, it can be concluded that the shorter the time required, the quicker an attacker can obtain harmful information from GraphQL.]]>
