Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Hacking GraphQL

Anugrah SR
February 27, 2024
530

Hacking GraphQL

Anugrah SR

February 27, 2024
Tweet

Transcript

  1. ANUGRAH S R Cyber Security consultant and Security Researcher Bugbounty

    Hunter Synack Red Team Member Hacked and secured multiple organisations including Apple, Redbull, Sony, Dell, Netflix and many more Twitter: @cyph3r_asr | LinkedIn: anugrah-sr Blog: www.anugrahsr.in Connect with me
  2. Bug bounty hunter: $$$$ Pentester/ VAPT: Amazing finding to your

    report Developer : Make your app more secure
  3. ‌ GraphQL is an open-source data query language and data

    manipulation language for APIs, and a query runtime engine. GraphQL is a query language that was created by Facebook and made public in 2015. It offers an alternative to using REST APIs for data retrieval.‌ ‌
  4. ‌ GraphQL was created for more flexible and efficient API

    development. It addresses the limitations and challenges of REST APIs. GraphQL provides greater flexibility compared to REST APIs. REST APIs require multiple round trips to the server to fetch data. GraphQL solves the need for multiple round trips to the server by allowing developers to specify the data they need in a single request. Why GraphQL?
  5. Avoid Over- and Underfetching: we only fetch what we need

    from the server by constructing our query to only include what we need. Prevent multiple API calls: In case you need more data, you can also avoid making multiple calls to your API. In the case above, you don't need to make 2 API calls to fetch /order and /product separately. API Versioning: When the need for new features arises, you can easily add additional fields, queries, mutations, etc. to the server without affecting other parts of the application. Additionally, it is easier to remove old features. Self-documenting: Every GraphQL API conforms to a "schema" which is the graph data model and what kinds of queries a client can make. Why GraphQL?
  6. /graphql /graphql/console /graphql.php /graphiql.php /explorer /altair /playground Reconnaissance / Discovery

    https://github.com/danielmiessler/SecLists/blob/master/Discovery/Web-Content/graphql.txt
  7. Fuzzing ffuf -w graphql.txt -u https://target/FUZZ Reconnaissance / Discovery Nuclei

    #List of targets nuclei -t graphql-detect.yaml -l target_domains.txt #Single target nuclei -t graphql-detect.yaml -u https://example.com
  8. Graphw00f python3 main.py -f -d -t http://localhost:5000 Reconnaissance / Discovery

    https://github.com/dolevf/graphw00f https://github.com/nicholasaleks/graphql-threat-matrix/ GraphQL Threat Matrix Other tools for discovery goctopus graphinder
  9. Introspection Query: Special type of query that can be used

    to retrieve the schema for a GraphQL API. This schema defines the types of data that the API can return, available fields for those types and the arguments that can be passed to those fields. Generating documentation for an API Helping to debug an issue with the schema. Where is the API documentation? What all API functions exist? query { __schema { types { name fields { name type { name kind } } } } }
  10. clairvoyance What if Introspection query is disabled ? https://github.com/nikitastupin/clairvoyance Let's

    abuse GraphQL have a feature for fields and operations suggestions.
  11. Denial of Service (DOS) Resource Intensive Query Attack Batch Query

    Attack Aliases based Attack Field Duplication Attack Deep Recursion Query Attack Unrestricted Resource Consumption
  12. Server Side Request Forgery (SSRF) Allows an attacker to induce

    the server-side application to make requests to an unintended location.
  13. Broken Object Level Authorization (BOLA) Broken Object Level Authorization, formerly

    Insecure Direct Object Reference (IDOR), remains the most significant risk for APIs, as it did in 2019.
  14. Broken Authentication Authentication is “broken” when attackers are able to

    compromise passwords, keys or session tokens, user account information, and other details to assume user identities.
  15. Broken Object Property Level Authorization (BOPLA) It is crucial to

    verify that a user has the authorization to access the specific fields of a GraphQL object they are attempting to reach via the API. BOPLA is a new addition that combines the 2019 list’s Excess Data Exposure and Mass Assignment. recentLocation
  16. Broken Function Level Authorization (BFLA) BFLA emphasizing the importance of

    proper logging and monitoring. It refers to a permission IDOR, whereby a regular user can perform an administrator-level task. An attacker could exploit a BFLA vulnerability to ban other users, whereas normally only a moderator can.
  17. Lack of Protection from Automated Threats Developers should know this

    risk and implement measures to prevent excessive automated access to their business-sensitive API endpoints. Implement rate limiting, user behavior analysis, and CAPTCHAs to protect your API from excessive automated access.
  18. Improper Inventory Management Developers should ensure they clearly understand their

    API inventory and maintain thorough documentation. Security by obscurity, a DevSecOps decides to close introspection from the production environment,but they keep it open on the public staging environment Introspection enabled: https://target.com - ❌ https://dev.target.com - ✅ https://staging.target.com - ✅ https://uat.taget.com - ✅
  19. Injection Attacks An attacker supplies untrusted input to a program.

    This input gets processed by an interpreter as part of a command or query. In turn, this alters the execution of that program. OS Command Injection
  20. Injection Attacks An attacker supplies untrusted input to a program.

    This input gets processed by an interpreter as part of a command or query. In turn, this alters the execution of that program. Stored XSS
  21. Injection Attacks An attacker supplies untrusted input to a program.

    This input gets processed by an interpreter as part of a command or query. In turn, this alters the execution of that program. SQL Injection