Upgrade to Pro — share decks privately, control downloads, hide ads and more …

How to secure Public GraphQL API

Michał Taszycki
July 22, 2021
Programming
0
98

How to secure Public GraphQL API

With great power comes great responsibility.
-- Benjamin Franklin Parker

GraphQL allows you to craft complicated queries with ease.
It does make mobile and web developers' jobs simpler.

Unfortunately, hackers also like to use and abuse it.

This presentation will show you how easy it is to execute Denial of Service and Brute Force attacks in GraphQL.
Don't worry, you'll also learn how to protect your API against them.

Michał Taszycki

July 22, 2021
Tweet

More Decks by Michał Taszycki

See All by Michał Taszycki
Another 40 years of Commodore 64
mehowte
0
340
Let's keep Commodore 64 alive for the next 40 years
mehowte
1
220
Learn RASTER SHADERS on Commodore 64
mehowte
0
560
Z Frontu na FullStack dzięki GraphQL
mehowte
0
110
Legacy React
mehowte
0
410
Jak zabezpieczyczyć publiczne API GraphQL
mehowte
0
250
Poznaj GraphQL w (trochę więcej niż) 30 minut :)
mehowte
0
390
GraphQL vs REST API - Kto wygra?
mehowte
0
960
Architektura aplikacji w React.js
mehowte
0
3.7k

Other Decks in Programming

See All in Programming
2024/11/8 関西Kaggler会 2024 #3 / Kaggle Kernel で Gemma 2 × vLLM を動かす。
kohecchi
5
910
Content Security Policy入門 セキュリティ設定と 違反レポートのはじめ方 / Introduction to Content Security Policy Getting Started with Security Configuration and Violation Reporting
uskey512
1
520
聞き手から登壇者へ: RubyKaigi2024 LTでの初挑戦が 教えてくれた、可能性の星
mikik0
1
130
OnlineTestConf: Test Automation Friend or Foe
maaretp
0
100
3rd party scriptでもReactを使いたい! Preact + Reactのハイブリッド開発
righttouch
PRO
1
600
ヤプリ新卒SREの オンボーディング
masaki12
0
130
EventSourcingの理想と現実
wenas
6
2.3k
Ethereum_.pdf
nekomatu
0
460
Nurturing OpenJDK distribution: Eclipse Temurin Success History and plan
ivargrimstad
0
870
Creating a Free Video Ad Network on the Edge
mizoguchicoji
0
110
Tauriでネイティブアプリを作りたい
tsucchinoko
0
370
CSC509 Lecture 12
javiergs
PRO
0
160

Featured

See All Featured
Making Projects Easy
brettharned
115
5.9k
Gamification - CAS2011
davidbonilla
80
5k
Writing Fast Ruby
sferik
627
61k
How to train your dragon (web standard)
notwaldorf
88
5.7k
Become a Pro
speakerdeck
PRO
25
5k
Fireside Chat
paigeccino
34
3k
How To Stay Up To Date on Web Technology
chriscoyier
788
250k
The Power of CSS Pseudo Elements
geoffreycrofte
73
5.3k
Sharpening the Axe: The Primacy of Toolmaking
bcantrill
38
1.8k
Done Done
chrislema
181
16k
[Rails World 2023 - Day 1 Closing Keynote] - The Magic of Rails
eileencodes
33
1.9k
Happy Clients
brianwarren
98
6.7k

Transcript

  1. HOW TO SECURE 
 PUBLIC GRAPHQL API? ☠

  2. WHO AM I? ▸ Michał Taszycki (@mehowte) ▸ 16 years

    of programming experience ▸ I can teach you to be better at programming ▸ GraphQL Mastery ▸ Kurs Reacta ▸ 64bites (Commodore 64 assembly) ▸ Organizer of Festiwal React.js i GraphQL conference

  3. GraphQL.pl/meetjs SOURCE CODE, TOOLS, SLIDES, LINKS & 🎁

  4. YOU WILL ENJOY 
 THIS PRESENTATION

  5. YOU WILL ENJOY 
 THIS PRESENTATION IF…

  6. YOU WILL ENJOY IT IF… ‣ You know fundamentals of

    GraphQL ‣ You want to create your fi rst public GraphQL server ‣ You don’t believe it’s possible to secure a public GraphQL server

  7. ‣ You know everything about GraphQL ‣ You can handle

    Brute Force i DOS/DDOS attacks ‣ You are not interested in GraphQL? (duh) ‣ You believe that REST API is always better than GraphQL YOU MIGHT NOT ENJOY IT IF…

  8. THOSE ARE THE FACTS

  9. GRAPHQL IS BETTER THAN REST API

  10. GRAPHQL IS BETTER THAN REST API

  11. BUT…

  12. None

  13. IT’S HARDER TO SECURE

  14. SECURING ANY API = BOOK-SIZE TOPIC

  15. LET’S FOCUS ON 2 KINDS OF ATTACKS

  16. …THAT ARE EXTREMELY EASY TO DO IN GRAPHQL

  17. 1. DOS/DDOS

  18. 1. DOS/DDOS 2. BRUTE FORCE

  19. THIS IS OUR SCHEMA

  20. WHAT COULD POSSIBLY GO WRONG?

  21. WHAT COULD POSSIBLY GO WRONG?

  22. LET’S SEE😁

  23. 100 USERS EACH ONE HAS JUST 10 FRIENDS

  24. 😀

  25. 100x 😀

  26. WE GET 100 ELEMENTS 100x 😀

  27. 😀

  28. 100x 😀

  29. 100x 10x 🙂

  30. WE GET 1000 ELEMENTS 100x 10x 🙂

  31. 😀

  32. 100x 😀

  33. 100x 10x 🙂

  34. 100x 10x 10x 😐

  35. WE GET 10 000 ELEMENTS 100x 10x 10x 😐

  36. 😀

  37. 100x 😀

  38. 100x 10x 🙂

  39. 100x 10x 10x 😐

  40. 100x 10x 10x 10x 🙁

  41. 100x 10x 10x 10x 10x 😳

  42. WE GET 1 000 000 ELEMENTS 100x 10x 10x 10x

    10x 😱

  43. YOU DON’T NEED DDOS IN GRAPHQL

  44. ONE SIMPLE QUERY = DENIAL OF SERVICE

  45. WHAT CAN WE DO ABOUT IT?

  46. LIMIT DEPTH OF A QUERY

  48. None

  49. 😀

  50. OK BUT WHAT IF…?

  51. 10000 USERS EACH ONE HAS 1000 FRIENDS

  52. 😀

  53. 10 000x 😐

  54. 1000x 10 000x 😳

  55. WE GET 10 000 000 ELEMENTS 1000x 10 000x 😱

  56. WHAT CAN WE DO ABOUT IT?

  57. USE PAGINATION

  58. 1. ADD A NEW SCALAR TYPE

  59. 2. ADD PAGINATION IN SCHEMA

  60. 2. ADD PAGINATION IN SCHEMA

  61. 3. HANDLE PAGINATION IN RESOLVERS

  62. 3. HANDLE PAGINATION IN RESOLVERS

  63. 😀

  64. 😀 10x

  65. 😀 10x 10x

  66. 🙂 10x 10x 10x

  67. 10x 10x 10x 10x 😐

  68. WE GET 10 000 ELEMENTS 10x 10x 10x 10x 😐

  69. WE CAN RELAX 
 DEPTH LIMIT (BUT NOT ELIMINATE IT)

  70. OK BUT WHAT IF…?

  71. ONE TRIES TO EXCEED PAGE SIZE?

  72. None

  73. NOTHING! WE’RE GOOD 😃

  74. OK BUT WHAT IF…?

  75. ONE USES ALIASES?

  76. 😀 …

  77. 😀 … 10x

  78. 😀 … 10x 10x

  79. 😀 … 10x 10x +

  80. 😀 … 10x 10x + 10x 10x

  81. 😀 … 10x 10x + 10x 10x + 10x 10x

  82. 😮 …

  83. 🥺 … 10x 10x

  84. 😢 … 10x 10x + 10x 10x

  85. 😰 … 10x 10x + 10x 10x + 10x 10x

  86. 😭 … (10x10) x 1 000 000

  87. 🤯 … WE GET 100 000 000 ELEMENTS

  88. IF THAT DOESN’T SCARE YOU YET

  89. ALIASES ALLOW 
 ANOTHER KIND OF ATTACK…

  90. BRUTE FORCE

  91. CONSIDER THIS SCHEMA

  92. 1. I DON’T REMEMBER MY PASSWORD

  93. 1. I DON’T REMEMBER MY PASSWORD

  94. 2. I ASK FOR RESET TOKEN

  95. 2. I ASK FOR RESET TOKEN

  96. 3. I GET THE TOKEN

  97. 4. I CHANGE THE PASSWORD

  98. 4. I CHANGE THE PASSWORD

  99. 5. I LOG IN

  100. 5. I LOG IN

  101. IS IT SAFE?

  102. IS IT SAFE?

  103. SURE! YOU CAN’T CHANGE PASSWORD WITHOUT AN EMAIL AND TOKEN

    😏

  104. OK BUT WHAT IF…?

  105. YOU HAVE AN EMAIL & YOU CAN GUESS THE TOKEN

    🤔

  106. 1. LET’S GUESS

  107. 1. LET’S GUESS

  108. 1. LET’S GUESS

  109. 1. LET’S GUESS

  110. 2. LET’S LOG IN

  111. 2. LET’S LOG IN

  112. WHAT CAN WE DO ABOUT IT?

  113. 1. GENERATE SAFER TOKENS

  114. NOT THIS WAY! 1. GENERATE SAFER TOKENS

  115. 1. GENERATE SAFER TOKENS NOT THIS WAY!

  116. 🤡 1. GENERATE SAFER TOKENS NOT THIS WAY!

  117. 2. MAKE BRUTE FORCE HARDER

  118. QUERY COST ANALYSIS

  119. QUERY COST ANALYSIS

  120. QUERY COST ANALYSIS

  121. COST DIRECTIVE

  122. MULTIPLY COST BY PAGE SIZE

  123. MULTIPLY COST BY PAGE SIZE

  124. INCREASE COST OF DANGEROUS OPERATIONS

  125. 😀

  126. 😀

  127. 😀

  128. 😀

  129. 😀

  130. 😀

  131. OK BUT WHAT IF…?

  132. ONE TRIES TO EXECUTE MULTIPLE QUERIES?

  133. WE RATE LIMIT THEM

  134. EITHER AT THE HTTP SERVER (SAME AS WITH REST API)

  135. OR AT THE GRAPHQL SERVER

  136. ADD THE RATE LIMIT DIRECTIVE

  137. ADD SOME KIND OF A CLIENT ID TO THE CONTEXT

  138. CONFIGURE THE RATE LIMIT DIRECTIVE

  139. DEFINE RATE LIMIT DIRECTIVE IN SCHEMA

  140. LIMIT RATE OF EXECUTION (FOR ANY QUERY OR MUTATION)

  141. None

  142. 😀

  143. 2 SECONDS LATER

  144. 😀 2 SECONDS LATER

  145. THAT’S ENOUGH 
 …

  146. THAT’S ENOUGH 
 TO MAKE GRAPHQL AS SECURE AS REST

  147. 1.LIMIT DEPTH

  148. 1.LIMIT DEPTH 2.PAGINATE DATA

  149. 1.LIMIT DEPTH 2.PAGINATE DATA 3.LIMIT RATE

  150. 1.LIMIT DEPTH 2.PAGINATE DATA 3.LIMIT RATE 4.ANALYZE COST (OPTIONAL)

  151. ONE MORE THING…

  152. MONITOR YOUR TRAFFIC! (YOU NEED TO KNOW WHO, WHEN AND

    HOW ATTACKS YOU)

  153. NEED MORE RESOURCES?

  154. OWASP - GRAPHQL CHEAT SHEET

  155. MACIEJ KOFEL - HACKOWANIE GRAPHQL PRESENTATION (IN POLISH)

  156. USE MEETJS CODE TO GET 20% DISCOUNT ALL RECORDED TALKS

    (IN POLISH)

  157. 7-WEEK ONLINE COURSE ON FULL-STACK GRAPHQL (ALSO IN POLISH) NEW

    EDITION 
 STARTS SOON

  158. ANY QUESTIONS? Q&A GraphQL.pl/meetjs

  159. ANY QUESTIONS? Q&A GraphQL.pl/meetjs

  160. ANY QUESTIONS? Q&A GraphQL.pl/meetjs