Upgrade to Pro — share decks privately, control downloads, hide ads and more …

APIsecure 2023 - Learn how to attack and mitigate vulnerabilities in GraphQL, Parth Shukla (Cequence Security)

APIsecure 2023 - Learn how to attack and mitigate vulnerabilities in GraphQL, Parth Shukla (Cequence Security)

APIsecure 2023 - The world's first and only API security conference
March 14 & 15, 2023

Learn how to attack and mitigate vulnerabilities in GraphQL
Parth Shukla, Security Analyst at Cequence Security

------

Check out our conferences at https://www.apidays.global/

Do you want to sponsor or talk at one of our conferences?
https://apidays.typeform.com/to/ILJeAaV8

Learn more on APIscene, the global media made by the community for the community:
https://www.apiscene.io

Explore the API ecosystem with the API Landscape:
https://apilandscape.apiscene.io/

apidays

March 21, 2023
Tweet

More Decks by apidays

Other Decks in Programming

Transcript

  1. Why GraphQL ? ➔Increased efficiency - Request exact data you

    need. Nothing More, Nothing Less ➔Better flexibility - Evolve and iterate on the API without impacting clients ➔Facilitates collaboration - GraphQL provides a common language for both frontend and backend Copyright ©2023 Cequence Security | ALL RIGHTS RESERVED PUN Why settle for the simplicity of REST when you can spend your days writing complex GraphQL schemas that nobody understands?
  2. Common GraphQL Endpoints Copyright ©2023 Cequence Security | ALL RIGHTS

    RESERVED TIP I would rather create a wordlist of common GraphQL Endpoints and pass it to FFUF, DirBuster, etc 1./graphql 2./graphql.php 3./graphiql 4./v1/explorer 5./v1/graphiql 6./v2/graphql/console List of Common API Endpoints
  3. DIFFERENT TYPES OF QUERIES IN GRAPHQL Copyright ©2023 Cequence Security

    | ALL RIGHTS RESERVED PUN "A GraphQL query is like a conversation with a waiter at a restaurant. You tell the waiter what you want to eat (i.e., the data you want to retrieve), and the waiter brings it to your table. But unlike a restaurant, you don't have to leave a tip!"
  4. Copyright ©2023 Cequence Security | ALL RIGHTS RESERVED QUERY A

    query is used to retrieve data from a GraphQL server. It is analogous to a GET request in a REST API. A query consists of a set of fields that define the data that the client wants to fetch from the server. A mutation is used to modify data on a GraphQL server. It is analogous to a POST, PUT, or DELETE request in a REST API. A mutation consists of a set of input arguments and fields that define the data that the client wants to change on the server. A subscription is used to receive real-time updates from a GraphQL server. It is similar to a query, but instead of returning a single result, a subscription returns a stream of data that is sent to the client whenever the server's data changes. MUTATION SUBSCRIPTION
  5. ATTACKER'S PERSPECTIVE TO GRAPHQL Copyright ©2023 Cequence Security | ALL

    RIGHTS RESERVED PUN Why did the GraphQL developer refuse to use REST? Because they didn't want to get caught up in a "REST-riction" when it came to querying data!
  6. THE INTROSPECTION Copyright ©2023 Cequence Security | ALL RIGHTS RESERVED

    PUN Why did the GraphQL schema go to therapy? Because it needed some introspecc-tion! GraphQL introspection is a feature that allows a GraphQL client to query the GraphQL schema at runtime to get information about the available types, fields, and directives that the schema supports. This information can be used to understand the schema's structure, generate documentation, or even to dynamically generate GraphQL queries and mutations. INTROSPECTION QUERY
  7. Introspection can reveal sensitive information about the application's underlying data

    model. Copyright ©2023 Cequence Security | ALL RIGHTS RESERVED Why is Introspection a vulnerability? TIP The output of Introspection might not be readable. To view in much better way use “apis.guru/graphql- voyager/”
  8. Batching is a technique used in GraphQL to optimize queries

    by allowing multiple queries to be sent in a single HTTP request Copyright ©2023 Cequence Security | ALL RIGHTS RESERVED Can we exploit Batching in GraphQL? TIP GraphQL batching is not inherently a vulnerability but … let's find out
  9. EXPLOIT FOR BATCHING Copyright ©2023 Cequence Security | ALL RIGHTS

    RESERVED TIP Use “BatchQL” tool by AssetNote. The most common attack for batching is Denial of Service (DoS) attack. If an attacker sends a large number of batched queries that require significant processing, it could cause the server to become overwhelmed and result in a denial- of-service attack. PoC in Next Slide
  10. Authentication Bypass with the help of Batching. Copyright ©2023 Cequence

    Security | ALL RIGHTS RESERVED TIP Majorly works where 2Fa is present.
  11. BYPASSING 2FA Copyright ©2023 Cequence Security | ALL RIGHTS RESERVED

    TIP Use “BatchQL” tool by AssetNote. We can see that we pass 3 different verification code and even if one code is correct, we will get the successful response. Credit: Assetnote
  12. Testing for Directive Overloading Copyright ©2023 Cequence Security | ALL

    RIGHTS RESERVED TIP Directive overloading is neglected because developers and hackers are concentrating on Batching. Let's see a Live PoC
  13. WHAT ARE RUNTIME DIRECTIVES? Copyright ©2023 Cequence Security | ALL

    RIGHTS RESERVED The purpose of runtime directives is to modify the execution. There are two main runtime directives in GraphQL: @skip and @include • @skip(if: ...) skips the selection if the if: ... value is truthy • @include(if: ...) includes the selection if the if: ... value is truthy Note the Execution Time TIP Multiple errors confirms that server is vulnerable to directive overloading.
  14. POSSIBLE MITIGATIONS Copyright ©2023 Cequence Security | ALL RIGHTS RESERVED

    • Implement depth limiting for incoming GraphQL queries • Perform query cost analysis to limit expensive queries • Enforce rate-limiting for incoming requests per API client • Add timeouts for both the infrastructure and API layer • Disable introspection queries in public APIs • Use a whitelist for allowed characters • Add pagination to limit the amount of information that can be accessed by a single request
  15. To Succeed, Security Teams Need Unified API Protection An Integrated

    Solution Across the Entire API Protection Lifecycle Copyright ©2023 Cequence Security | ALL RIGHTS RESERVED Continuous API Protection Lifecycle Discovery Identify Public Facing APIs Inventory Provide Unified Inventory of ALL APIs Compliance Ensure Adherence to Security and Governance Best Practices Testing Secure New APIs Before Go-Live Prevention Block Attacks Natively in Real Time Detection Detect Attacks as They Happen
  16. Thank You Merci Gracias Danke Copyright ©2023 Cequence Security |

    ALL RIGHTS RESERVED Did someone mention that Cequence can provide you with free security assessment? Grazie Dhanyavaad Shukraan Arigato