Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Offensive-GraphQL-API-Exploitation

Arun
August 19, 2020

 Offensive-GraphQL-API-Exploitation

Arun

August 19, 2020
Tweet

More Decks by Arun

Other Decks in Technology

Transcript

  1. O F F E N S I V E G

    R A P H Q L A P I E X P L O I T A T I O N A R U N . S
  2. whoami Query whoami { Arun.S Senior Security Consultant @ IBM

    India Software Labs. Speaker at Conferences and Communities like c0c0n Bsides Delhi, Null/OWASP. Null Bangalore Chapter Lead, Member of OWASP & BSides Bangalore. Certified – OSCP, eWPT,ECSA etc., }
  3. GraphQL • GraphQL is open sourced by Facebook. • GraphQL

    is a query language for APIs - not databases. • GraphQL is often confused with being a database technology. • GraphQL server only exposes a single endpoint. Howtographql.com
  4. GraphQL Schema SDL - GraphQL has its own type system

    that’s used to define the schema of an API. The syntax for writing schemas is called Schema Definition Language (SDL). Queries • Used for retrieving data/results. • Similar to GET in REST. Mutation • Used for some state changing activities. • Similar to POST/PUT/DELETE. Subscriptions • Used for Events/Realtime Updates.
  5. S S T R E N G T H S

    Strengths GraphQL Architecture is gaining more popularity in the recent days. Some of the reasons I can think of are; • No More Over & UnderFetching. • Simple & Efficient to Use. • Evolve APIs without versioning issues. • Schema Introspection • Adapts to different requirements for different clients. • No Wonder that big Facebook, Shopify, Pinterest, HackerOne etc.,
  6. S S T R E N G T H S

    GraphQL REST
  7. W W E A K N E S S E

    S Weaknesses Every technology has some disadvantages, and Graphql do have few disadvantages. • Query Complexity & Depths. • Rate Limiting & Timeouts. • Caching.
  8. O O P P O R T U N I

    T I E S Opportunity for Hackers • There is a wide scope for the pentesters & bug bounty hunters on GraphQL. • The GraphQL Endpoints like /graphql or /graphiql are still publicly available out there due missing security best practices.
  9. O R E C O N - I N T

    R O S P E C T I O N A L L O W E D queries/ Mutation via schema Endpoint Fuzzing &debug=1
  10. O R E C O N T O R E

    S C U E W H E N I N T R O S P E C T I O N D I S A B L E D Build Queries & Mutations Crawl WebApp Parse JS Files
  11. O L O O K F O R T H

    E A U T H E N T I C A T I O N No- Auth/Pro -tections on Resolvers JWT ACL
  12. O T O O L S T O R E

    S C U E GQL PARSER INQL GRAPHQL VOYAGER
  13. O T O O L S T O R E

    S C U E GRAPHQL VOYAGER
  14. O T O O L S T O R E

    S C U E GQL PARSER
  15. O T O O L S T O R E

    S C U E INQL
  16. O L A B S T O P R A

    C T I C E Pentester Lab GQL Goat Digi Ninja Lab
  17. T T H R E A T S Threats!!! GraphQL

    gives enormous power to clients. But with great power come great responsibilities !!!
  18. T T H R E A T S Vulnerabilities!!! Most

    of all vulnerabilities related to REST APIs & WebApp are applicable for GraphQL as well.
  19. T T H R E A T S Threats!!! GraphQL

    is great, because it gives client so much more power. But if not used properly it could cost them more they can imagine.
  20. T C O M M O N T H R

    E A T S T O A V O I D Threats!!! There are many approaches to secure your GraphQL server against these queries, but none of them is bullet proof. It’s important to know what options are available and know their limits and take best decisions out of it!. • Disable well known /graphql & /graphiql endpoints from the domain. • Craft your own schema and avoid using autogenerated SDL which creates queries and mutations. • Input validation, Authentication & Authorization should never be forgotten. • Never trust user inputs. • Enforce a limit on maximum query depth(~<10), Query complexity, timeouts & enabled throttling based on the server time & query complexity.