Upgrade to Pro — share decks privately, control downloads, hide ads and more …

How to secure Public GraphQL API

Michał Taszycki
July 22, 2021
Programming
0
84

How to secure Public GraphQL API

With great power comes great responsibility.
-- Benjamin Franklin Parker

GraphQL allows you to craft complicated queries with ease.
It does make mobile and web developers' jobs simpler.

Unfortunately, hackers also like to use and abuse it.

This presentation will show you how easy it is to execute Denial of Service and Brute Force attacks in GraphQL.
Don't worry, you'll also learn how to protect your API against them.

Michał Taszycki

July 22, 2021
Tweet

More Decks by Michał Taszycki

See All by Michał Taszycki
Another 40 years of Commodore 64
mehowte
0
240
Let's keep Commodore 64 alive for the next 40 years
mehowte
1
150
Learn RASTER SHADERS on Commodore 64
mehowte
0
400
Z Frontu na FullStack dzięki GraphQL
mehowte
0
89
Legacy React
mehowte
0
370
Jak zabezpieczyczyć publiczne API GraphQL
mehowte
0
230
Poznaj GraphQL w (trochę więcej niż) 30 minut :)
mehowte
0
350
GraphQL vs REST API - Kto wygra?
mehowte
0
910
Architektura aplikacji w React.js
mehowte
0
3.2k

Other Decks in Programming

See All in Programming
CodeCrafters にチャレンジして PHP で Redis を作ってみる
gennei
3
340
タクシーアプリ『GO』にLive Activitiesを入れてみた / MoT TechTalk #17
mot_techtalk
0
130
[a11y] カート UI のフォーカスを可視化する
ryamakuchi
0
130
ChatGPT APIでセキュリティニュースを要約するシステムを作ってみた
sh1n0g1
2
1.5k
ウォーターフォールに思えたプロジェクトにあったアジャイルの要素
kubotak
1
190
Les tests dans une application Symfony
alexandresalome
1
720
10Xにおけるdbtの事例紹介
10xinc
0
1k
Structure for Enterprise-Scale Angular Applications: Nx Monorepos, Micro Frontends, and Module Federation
manfredsteyer
PRO
0
150
日常業務のカイゼンで図る開発チームへの貢献 - YAPC::Kyoto 2023
koluku
4
610
Mastering Compose: The Key to Unlocking the Potential of Android App
dicoding
0
530
Jongler en asynchrone avec Symfony HttpClient
alli83
1
550
例外を投げるな、値を返せ
okuzawats
0
180

Featured

See All Featured
We Have a Design System, Now What?
morganepeng
37
6k
A better future with KSS
kneath
230
16k
Java REST API Framework Comparison - PWX 2021
mraible
PRO
14
5.6k
個人開発の失敗を避けるイケてる考え方 / tips for indie hackers
panda_program
31
9k
Six Lessons from altMBA
skipperchong
15
2.4k
Helping Users Find Their Own Way: Creating Modern Search Experiences
danielanewman
11
1.4k
No one is an island. Learnings from fostering a developers community.
thoeni
12
1.6k
The World Runs on Bad Software
bkeepers
PRO
59
5.8k
jQuery: Nuts, Bolts and Bling
dougneiner
57
6.7k
The Invisible Customer
myddelton
113
12k
GraphQLとの向き合い方2022年版
quramy
22
10k
Building Flexible Design Systems
yeseniaperezcruz
314
35k

Transcript

  1. HOW TO SECURE

    PUBLIC GRAPHQL API?

    View Slide

  2. WHO AM I?
    ▸ Michał Taszycki (@mehowte)


    ▸ 16 years of programming experience


    ▸ I can teach you to be better at programming


    ▸ GraphQL Mastery


    ▸ Kurs Reacta


    ▸ 64bites (Commodore 64 assembly)


    ▸ Organizer of Festiwal React.js i GraphQL
    conference

    View Slide

  3. GraphQL.pl/meetjs
    SOURCE CODE, TOOLS,


    SLIDES, LINKS & 🎁

    View Slide

  4. YOU WILL ENJOY

    THIS PRESENTATION


    View Slide

  5. YOU WILL ENJOY

    THIS PRESENTATION


    IF…

    View Slide

  6. YOU WILL ENJOY IT IF…
    ‣ You know fundamentals of GraphQL


    ‣ You want to create your
    fi
    rst public GraphQL server


    ‣ You don’t believe it’s possible to secure a public GraphQL server

    View Slide

  7. ‣ You know everything about GraphQL


    ‣ You can handle Brute Force i DOS/DDOS attacks


    ‣ You are not interested in GraphQL? (duh)


    ‣ You believe that REST API is always better than GraphQL
    YOU MIGHT NOT ENJOY IT IF…

    View Slide

  8. THOSE ARE THE FACTS

    View Slide

  9. GRAPHQL


    IS BETTER THAN


    REST API

    View Slide

  10. GRAPHQL


    IS BETTER THAN


    REST API

    View Slide

  11. BUT…

    View Slide

  12. View Slide

  13. IT’S HARDER TO SECURE

    View Slide

  14. SECURING ANY API


    =


    BOOK-SIZE TOPIC

    View Slide

  15. LET’S FOCUS ON


    2 KINDS


    OF ATTACKS

    View Slide

  16. …THAT ARE


    EXTREMELY EASY TO DO


    IN GRAPHQL

    View Slide

  17. 1. DOS/DDOS


    View Slide

  18. 1. DOS/DDOS


    2. BRUTE FORCE

    View Slide

  19. THIS IS OUR SCHEMA

    View Slide

  20. WHAT COULD POSSIBLY GO WRONG?

    View Slide

  21. WHAT COULD POSSIBLY GO WRONG?

    View Slide

  22. LET’S SEE😁

    View Slide

  23. 100 USERS


    EACH ONE HAS JUST 10 FRIENDS

    View Slide

  24. 😀

    View Slide

  25. 100x
    😀

    View Slide

  26. WE GET 100 ELEMENTS
    100x
    😀

    View Slide

  27. 😀

    View Slide

  28. 100x 😀

    View Slide

  29. 100x
    10x
    🙂

    View Slide

  30. WE GET 1000 ELEMENTS
    100x
    10x
    🙂

    View Slide

  31. 😀

    View Slide

  32. 100x
    😀

    View Slide

  33. 100x
    10x 🙂

    View Slide

  34. 100x
    10x
    10x
    😐

    View Slide

  35. WE GET 10 000 ELEMENTS
    100x
    10x
    10x
    😐

    View Slide

  36. 😀

    View Slide

  37. 100x
    😀

    View Slide

  38. 100x
    10x
    🙂

    View Slide

  39. 100x
    10x
    10x 😐

    View Slide

  40. 100x
    10x
    10x
    10x
    🙁

    View Slide

  41. 100x
    10x
    10x
    10x
    10x
    😳

    View Slide

  42. WE GET 1 000 000 ELEMENTS
    100x
    10x
    10x
    10x
    10x
    😱

    View Slide

  43. YOU DON’T NEED


    DDOS IN GRAPHQL

    View Slide

  44. ONE SIMPLE QUERY


    =


    DENIAL OF SERVICE

    View Slide

  45. WHAT CAN WE DO
    ABOUT IT?

    View Slide

  46. LIMIT DEPTH OF
    A QUERY

    View Slide


  47. View Slide

  48. View Slide

  49. 😀

    View Slide

  50. OK


    BUT WHAT IF…?

    View Slide

  51. 10000 USERS


    EACH ONE HAS 1000 FRIENDS

    View Slide

  52. 😀

    View Slide

  53. 10 000x 😐

    View Slide

  54. 1000x
    10 000x 😳

    View Slide

  55. WE GET 10 000 000 ELEMENTS
    1000x
    10 000x 😱

    View Slide

  56. WHAT CAN WE DO
    ABOUT IT?

    View Slide

  57. USE PAGINATION

    View Slide

  58. 1. ADD A NEW SCALAR TYPE

    View Slide

  59. 2. ADD PAGINATION IN SCHEMA

    View Slide

  60. 2. ADD PAGINATION IN SCHEMA

    View Slide

  61. 3. HANDLE PAGINATION IN RESOLVERS

    View Slide

  62. 3. HANDLE PAGINATION IN RESOLVERS

    View Slide

  63. 😀

    View Slide

  64. 😀
    10x

    View Slide

  65. 😀
    10x
    10x

    View Slide

  66. 🙂
    10x
    10x
    10x

    View Slide

  67. 10x
    10x
    10x
    10x
    😐

    View Slide

  68. WE GET 10 000 ELEMENTS
    10x
    10x
    10x
    10x
    😐

    View Slide

  69. WE CAN RELAX

    DEPTH LIMIT


    (BUT NOT ELIMINATE IT)

    View Slide

  70. OK


    BUT WHAT IF…?

    View Slide

  71. ONE TRIES TO
    EXCEED PAGE SIZE?

    View Slide

  72. View Slide

  73. NOTHING! WE’RE GOOD 😃

    View Slide

  74. OK


    BUT WHAT IF…?

    View Slide

  75. ONE USES
    ALIASES?

    View Slide

  76. 😀

    View Slide

  77. 😀

    10x

    View Slide

  78. 😀

    10x
    10x

    View Slide

  79. 😀

    10x
    10x
    +

    View Slide

  80. 😀

    10x
    10x
    +
    10x
    10x

    View Slide

  81. 😀

    10x
    10x
    +
    10x
    10x
    +
    10x
    10x

    View Slide

  82. 😮

    View Slide

  83. 🥺

    10x
    10x

    View Slide

  84. 😢

    10x
    10x
    +
    10x
    10x

    View Slide

  85. 😰

    10x
    10x
    +
    10x
    10x
    +
    10x
    10x

    View Slide

  86. 😭

    (10x10) x 1 000 000

    View Slide

  87. 🤯

    WE GET 100 000 000 ELEMENTS

    View Slide

  88. IF THAT DOESN’T
    SCARE YOU YET

    View Slide

  89. ALIASES ALLOW

    ANOTHER KIND OF
    ATTACK…

    View Slide

  90. BRUTE FORCE

    View Slide

  91. CONSIDER THIS SCHEMA

    View Slide

  92. 1. I DON’T REMEMBER MY PASSWORD

    View Slide

  93. 1. I DON’T REMEMBER MY PASSWORD

    View Slide

  94. 2. I ASK FOR RESET TOKEN

    View Slide

  95. 2. I ASK FOR RESET TOKEN

    View Slide

  96. 3. I GET THE TOKEN

    View Slide

  97. 4. I CHANGE THE PASSWORD

    View Slide

  98. 4. I CHANGE THE PASSWORD

    View Slide

  99. 5. I LOG IN

    View Slide

  100. 5. I LOG IN

    View Slide

  101. IS IT SAFE?

    View Slide

  102. IS IT SAFE?

    View Slide

  103. SURE!


    YOU CAN’T CHANGE PASSWORD


    WITHOUT AN EMAIL AND TOKEN


    😏

    View Slide

  104. OK


    BUT WHAT IF…?

    View Slide

  105. YOU HAVE AN EMAIL


    &


    YOU CAN GUESS THE TOKEN
    🤔

    View Slide

  106. 1. LET’S GUESS

    View Slide

  107. 1. LET’S GUESS

    View Slide

  108. 1. LET’S GUESS

    View Slide

  109. 1. LET’S GUESS

    View Slide

  110. 2. LET’S LOG IN

    View Slide

  111. 2. LET’S LOG IN

    View Slide

  112. WHAT CAN WE DO
    ABOUT IT?

    View Slide

  113. 1. GENERATE SAFER TOKENS

    View Slide

  114. NOT THIS WAY!
    1. GENERATE SAFER TOKENS

    View Slide

  115. 1. GENERATE SAFER TOKENS
    NOT THIS WAY!

    View Slide

  116. 🤡
    1. GENERATE SAFER TOKENS
    NOT THIS WAY!

    View Slide

  117. 2. MAKE BRUTE FORCE HARDER

    View Slide

  118. QUERY COST ANALYSIS

    View Slide

  119. QUERY COST ANALYSIS

    View Slide

  120. QUERY COST ANALYSIS

    View Slide

  121. COST DIRECTIVE

    View Slide

  122. MULTIPLY COST BY PAGE SIZE

    View Slide

  123. MULTIPLY COST BY PAGE SIZE

    View Slide

  124. INCREASE COST OF DANGEROUS OPERATIONS

    View Slide

  125. 😀

    View Slide

  126. 😀

    View Slide

  127. 😀

    View Slide

  128. 😀

    View Slide

  129. 😀

    View Slide

  130. 😀

    View Slide

  131. OK


    BUT WHAT IF…?

    View Slide

  132. ONE TRIES TO EXECUTE
    MULTIPLE QUERIES?

    View Slide

  133. WE RATE LIMIT THEM

    View Slide

  134. EITHER AT THE HTTP SERVER
    (SAME AS WITH REST API)

    View Slide

  135. OR AT THE GRAPHQL SERVER

    View Slide

  136. ADD THE RATE LIMIT DIRECTIVE

    View Slide

  137. ADD SOME KIND OF A CLIENT ID TO THE CONTEXT

    View Slide

  138. CONFIGURE THE RATE LIMIT DIRECTIVE

    View Slide

  139. DEFINE RATE LIMIT DIRECTIVE IN SCHEMA

    View Slide

  140. LIMIT RATE OF EXECUTION
    (FOR ANY QUERY OR MUTATION)

    View Slide

  141. View Slide

  142. 😀

    View Slide

  143. 2 SECONDS LATER

    View Slide

  144. 😀
    2 SECONDS LATER

    View Slide

  145. THAT’S ENOUGH


    View Slide

  146. THAT’S ENOUGH

    TO MAKE GRAPHQL


    AS SECURE AS REST

    View Slide

  147. 1.LIMIT DEPTH

    View Slide

  148. 1.LIMIT DEPTH


    2.PAGINATE DATA


    View Slide

  149. 1.LIMIT DEPTH


    2.PAGINATE DATA


    3.LIMIT RATE


    View Slide

  150. 1.LIMIT DEPTH


    2.PAGINATE DATA


    3.LIMIT RATE


    4.ANALYZE COST (OPTIONAL)

    View Slide

  151. ONE MORE THING…

    View Slide

  152. MONITOR YOUR TRAFFIC!
    (YOU NEED TO KNOW WHO, WHEN AND HOW ATTACKS YOU)

    View Slide

  153. NEED MORE
    RESOURCES?

    View Slide

  154. OWASP - GRAPHQL CHEAT SHEET

    View Slide

  155. MACIEJ KOFEL - HACKOWANIE GRAPHQL
    PRESENTATION (IN POLISH)

    View Slide

  156. USE MEETJS CODE TO GET


    20% DISCOUNT
    ALL RECORDED TALKS (IN POLISH)

    View Slide

  157. 7-WEEK ONLINE COURSE ON FULL-STACK GRAPHQL
    (ALSO IN POLISH)
    NEW EDITION

    STARTS SOON

    View Slide

  158. ANY QUESTIONS?
    Q&A
    GraphQL.pl/meetjs

    View Slide

  159. ANY QUESTIONS?
    Q&A
    GraphQL.pl/meetjs

    View Slide

  160. ANY QUESTIONS?
    Q&A
    GraphQL.pl/meetjs

    View Slide