INTERFACE by apidays 2023 - Production Ready GraphQL, Antoine Carossio & Tristan Kalos, Escape

Transcript

1. /46 Modern Application Security GraphQL Vulnerabilities in the Wild What

   scanning real-life GraphQL apps told us about Securing GraphQL in Production 1
2. None

3. /46 About Escape First automated Security Testing platform able to

   test the business logic of APIs and GraphQL. https://app.escape.tech/ 2

4. /46 1599 production APIs scanned 3

5. /46 1599 production APIs scanned 416 cumulative scan hours 4

6. /46 1599 production APIs scanned 416 cumulative scan hours 5

   46,809 security alerts found

7. /46 30 security alerts per GraphQL app on average 6

8. /46 Tristan Kalos Co-founder & CEO ✉ [email protected] 🐣 @tristankalos

   Antoine Carossio Co-founder & CTO ✉ [email protected] 🐣 @iCarossio 7 https://escape.tech/resources/state-of-graphql-security-2023/

9. /46 Why is GraphQL vulnerable? 8

10. /46 GraphQL is a query language for APIs 9

11. /46 Why is GraphQL vulnerable? 1 – GraphQL is a

    full-featured language… 10

12. /46 Why is GraphQL vulnerable? 1 – GraphQL is a

    full-featured language… 11 Operations Fields Directives Parameters Aliases Batches Fragments Query Depth Query Width

13. /46 Why is GraphQL vulnerable? 2 - GraphQL is a

    graph… with a lot of different paths leading to the same resource 12

14. /46 Why is GraphQL vulnerable? 1. stripe_token 2 - GraphQL

    is a graph… with a lot of different paths leading to the same resource 13

15. /46 Why is GraphQL vulnerable? 1. stripe_token 2 - GraphQL

    is a graph… with a lot of different paths leading to the same resource 14

16. /46 Why is GraphQL vulnerable? 1. stripe_token 2 - GraphQL

    is a graph… with a lot of different paths leading to the same resource Access control is a nightmare! 15

17. /46 Why is is hard to test production GraphQL apps?

    16

18. /46 The two problems when testing GraphQL APIs Problem 1

    : Classic testing cannot assess the business logic of APIs 17

19. /46 The two problems when testing GraphQL APIs > Solution

    1 : Feedback-Driven API Exploration 18

20. /46 The two problems when testing GraphQL APIs > Solution

    1 : Feedback-Driven API Exploration 19

21. /46 The two problems when testing GraphQL APIs Problem 2

    : GraphQL is a Graph… 1. stripe_token 20

22. /46 The two problems when testing GraphQL APIs > Solution

    2 : Recursively explore all paths in the graph 1. stripe_token 21

23. /46 The findings 22

24. /46 46,809 security alerts found 23

25. /46 Which severity and category? 24

26. /46 Which severity and category? 25 API:01 API:02 API:03 API:05

    API:04 API:06 API:07 API:04 API:07 API:10 API:09 2019:08

27. /46 Which severity and category? 26 API:01 API:02 API:03 API:05

    API:04 API:06 API:07 API:04 API:07 API:10 API:09 2019:08

28. /46 A lot are GraphQL-specific 27

29. /46 GraphQL-specific Vulnerabilities come first 28

30. /46 Top vulnerability 1: Bruteforcing API requests (API:04) Batching: Multiple

    GraphQL Queries in one HTTP Request Aliasing: The same fields multiple times with aliases 29

31. /46 Top vulnerability 1: Bruteforcing API requests (API:04) The problem:

    can be used to bypass rate limiting on login mutations = Bruteforce attack 30

32. /46 Top vulnerability 2: Denial of Service (API:04) Fragments: a

    piece of logic that can be shared between multiple queries 31

33. /46 Top vulnerability 2: Denial of Service (API:04) The problem:

    What if a fragment calls itself? Oops, you got an infinite recursion. 32

34. /46 Top vulnerability 3: Internal API Schema Leak (API:07) The

    problem: Endpoints with disabled introspection still leaks underlying schema through field suggestio 33

35. /46 Top vulnerability 3: Internal API Schema Leak (API:07) The

    problem: Endpoints with disabled introspection still leaks underlying API Schema through field suggestion using open source tool Clairvoyance, anybody can build back the full Schema. 34

36. /46 Classic API vulnerabilities are still there 35

37. /46 HTTP Errors, Access Control Issues, Injections 36

38. /46 API Errors and Stacktraces disclosing internal data (API:07) The

    problem: Stack Traces give too much information on what’s vulnerable in your app 👀 (12% endpoints misconfigured) 37

39. /46 Access Control issues (API:01,02,03,05) The problem: Most routes writing

    data (mutations) are not supposed to be accessible without authentication 38

40. /46 Injections are still there (API2019:08) • 16 SQL or

    NoSQL injections • 1 bash command injection • 3 Server Side Request Forgery 39

41. /46 VI. Sensitive data made public! 40

42. /46 4,493 potential PII and token leaks found. 41

43. /46 4,493 potential PII and token leaks found. • Emails

    • Phone numbers • Passport numbers • Bank Account numbers 42

44. /46 4,493 potential PII and token leaks found. • API

    Keys: AWS, GCP • Private RSA Keys • Auth Tokens: Adobe, Asana, Github… 43

45. /46 44 • DOS & Complexity issues: ◦ API04: Unrestricted

    Resource Consumption < Due to GraphQL-specific features • Access Control, Authentication and Authorization: ◦ API01: Broken Object Level Authorization (BOLA) ◦ API02: Broken Authentication ◦ API03: Broken Object Property Level Authorization (BOPLA) ◦ API05: Broken Function Level Authorization (BFLA) < Very common because of the graph nature of GraphQL • Security Misconfiguration and Information Disclosure ◦ API07: Security Misconfiguration < Federated GraphQL apps often forget to catch error messages from underlying APIs < Development features enabled in prod How does OWASP TOP 10 reflect in prod-ready GraphQL apps?

46. /46 Conclusion, using unauthenticated API calls: • We found 130k+

    public GraphQL APIs into the wild and scanned 1599 of them • Highlighted numerous vulnerabilities, most frequently GraphQL Specific, but not only • Access control flaws and secret leaks are *very* frequent in GraphQL 45

47. /46 Tristan Kalos Co-founder & CEO ✉ [email protected] 🐣 @tristankalos

    Antoine Carossio Co-founder & CTO ✉ [email protected] 🐣 @iCarossio 46/4 7 https://escape.tech/resources/state-of-graphql-security-2023/