apidays Australia 2025 | Advanced GraphQL Security with AI Driven Threat Detection

Transcript

1. None

2. Hello! Hiranya Abeyrathne Technical Lead @WSO2 [email protected]

3. Advanced GraphQL Security with AI Driven Threat Detection Oct 29,

   2025

4. 4 One Click, One Query… Millions at Stake

5. GraphQL Attacks Reported in 2025 5 Screenshots/Sources: The Hacker News

   | GBHackers News

6. GraphQL Attacks Reported in 2025 6 Screenshots/Sources: Cybersecurity News |

   Techzine Global

7. The Blind Spot in GraphQL Security

8. Attack Vectors You Can’t Ignore for GraphQL APIs 8 Structural/

   Shape Abuse Excessive query depth/ circular queries Alias/ batch overloading Field duplication/ fragment explosion Directive & fragment misuse Intersection abuse Payload & Semantic Attacks SQL Injection (SQLi) in variables/ resolvers XSS via encoded inputs OS command injection hidden in resolver inputs SSRF - Attacker URLs added in variables CSRF - Attacker tricks a user’s browser session Behavioral/ Business- logic Abuse Reconnaissance & low- noise probing (schema mapping) Chained/ temporal attacks that exfiltrate over time. Business-logic abuse (e.g. BNPL credit harvesting)

9. Real Incidents to Attack Vectors 9 Real Incident Impact Attack

   Vector GitLab (Sep 2025) High CPU load → DoS. Structural Abuse Zimbra (Apr 2025) Data exposure (CSRF in GraphQL mutation unauthorized data access ) Semantic Abuse Chaos Mesh (Sep 2025) Remote execution (OS command injection through GraphQL mutation) Semantic Abuse Burger King (Aug 2025) Introspection queries -> admin account takeover -> unauthorized data access -> financial fraud Behavioral Abuse

10. • Static query analysis tools ◦ Fixed thresholds → catch

    obvious shapes, miss obfuscated payloads ◦ Thresholds are arbitrary - too strict or too loose • Rate limits & depth checks ◦ Stop brute force, not intent ◦ Blind to low-and-slow or semantic abuse • WAFs ◦ Built for REST, blind to GraphQL nested queries/variables/fragments Ex: Why Traditional Defenses Can’t Stop GraphQL Attacks 10 mutation AddComment($input: String!) { addComment(text: $input) { id text } } { "input": "\\u003Cscript\\u003Ealert('XSS')\\u003C/script\\u003E" }

11. GraphQL in 2027: Adoption Rising, Risk Accelerating 11 Sources: https://cybersecuritynews.com/graphql-security-2024-report/

    • Gartner Forecast - 60% of enterprises will adopt GraphQL by 2027 • 69% of GraphQL APIs vulnerable to DoS attacks • Adoption is accelerating — and exposure is expanding.

12. The Solution: AI Strategies That See What Rules Can’t

13. From Rules to Intelligence 13

14. Introducing Smart Guard - Unified Defense for GraphQL APIs 14

    • What is it? ◦ An intelligent, multi-layered defense ◦ Protect GraphQL APIs from structural, semantic, and behavioral attacks • Core Defense Layers ◦ Structural Analysis through LLM-Driven policies ▪ Using smart, context-aware, policies for each API using it’s GraphQL SDL ◦ ML/NLP based Payload & Semantic Detection ▪ Using Pre-trained per-API embedding models ◦ Behavioral & Business Logic Analysis ▪ Tracking per live user and session behavior to detect anomalies such as fraud, data harvesting, or abuse.

15. 15 Architecture of the Unified Defense Model

16. 16 Defense Layer 1: Defend Against Structural Abuse

17. Defense Layer 1: Defend Against Structural Abuse • API specific

    smart policies via LLM Policy Generator ◦ Pass GraphQL API SDL with short developer prompt to LLM ◦ Generate context-aware policies that learn each API’s schema and constraints • Enforce API-specific LLM policies at runtime through Structural Threat Detector ◦ Detect alias, directive, batch overloading and etc. 17

18. Defense Layer 1: Defend Against Structural Abuse 18 ◦ Use

    cases: E-commerce checkout, BNPL credit check, etc. ◦ Expected query patterns: Depth ≈ 3–5, ~100 nodes per response ◦ Heavy fields/resolvers: Flag high-cost or sensitive ones ◦ Access control: Define which roles can use introspection or multi-operations • Developer context defines precise thresholds

19. 19 Defense Layer 2: Defend Against Payload & Semantic Attacks

20. Defense Layer 2: Defend Against Payload & Semantic Attacks •

    API specific ML/NLP model (eg: SBERT embedding model) ◦ Trained on a standardized dataset (benign + obfuscated labeled samples) ▪ Generated by GraphQL SDL + vulnerability templates (SQLi, XSS and etc) ◦ To learn payload semantics & intent • Enforce the model at runtime through Payload & Semantic Threat Detector ◦ Inspect payload and detect emoji/unicode/encode malicious payloads ◦ Correlate payload signals with metadata (origin/referer, headers, rate, resolver type) 20

21. 21 Defense Layer 3: Defend Against Business Logic Abuse

22. Defense Layer 3: Behavioral & Business Logic Abuses • API-Specific

    Learn - Build a baseline of normal behavior from live API traffic • Analyze - Track user sequences using a combination of real-time streaming and graph-based analytics • Context - Correlate user actions, timing, and other data for a complete picture • Detect - An AI model (like a GRU) flags subtle anomalies and abuses like data harvesting or promo misuse 22

23. 23 Decision Engine

24. Decision Engine 24 Behavioral Analysis Sequence analysis Allow Query safe-execute

    normally Restrict Adjust depth, pagination, return guidance Throttle Slow or rate-limit client Sanitize/ Flag Clean payload, log anomaly Re-auth/ Temp Hold Ask identity verification before next query Block/ Reject Block the query Enforcement Actions Semantic Analysis Meaning & encoded payloads Structural Analysis Query shape, complexity, cost Risk Scoring + Adaptive Rules + Context Correlation Decision Engine

25. 25 Evolving GraphQL Defense Through Observability

26. Evolving GraphQL Defense Through Observability • Defense Intelligence Loop ◦

    Capture every query log and correlate signals ◦ Detect evolving patterns across time, users, and endpoints ◦ Continuously learn from real traffic and confirmed real incidents and pass the data ▪ To refine LLM policies and adaptive rules • Use validated real-world insights to tune schema-aware policies • Adjust thresholds and enforcement logic for precision and fewer false positives ▪ To evolve Adaptive Learning models • Apply Human validation to prevent bias or drift • Feed enriched logs into adaptive learning models • Retrain while preserving prior knowledge avoiding catastrophic forgetting 26

27. The Hidden Challenges of Defending GraphQL Using AI 27 Challenge

    Description Schema Evolution GraphQL schema changes over time — makes detection brittle Data Generation for AI Need labeled or synthetic data to train semantic model Cold Start Problem (Behavioral) Need sufficient query history to detect anomalies Complex Payloads NLP mixed with SQLi/XSS or emojis/Unicode Subtle Threat Patterns Hard to distinguish legitimate usage vs slow abuse Sequence Modeling Multi-step attacks look innocent alone but are malicious in flow User Spoofing Attackers can rotate IPs, spoof headers, or jump sessions Scaling AI Models Real-time inference with large models can be costly or slow

28. Summary & Next Steps • GraphQL is Powerful – But

    Inherently Risky ◦ One endpoint + flexible queries → broad attack surface ◦ Static thresholds are brittle - too Strict or too loose ◦ Existing mechanisms can’t understand intent • What Smart Guard AI Introduces through the unified defense model ◦ Three AI Defense Layers ▪ Context-aware structural policies (via LLM) ▪ Semantic & intent-based detection (via ML/NLP embedding models) ▪ Session-level behavior analysis (via anomaly models) ◦ Decision Engine - Makes the enforcement action and feedback ◦ Continuous Learning Loop - Refines the model accuracy and response precision over time 28

29. Question Time!

30. wso2.com Thanks!