How to secure Public GraphQL API

Transcript

1. HOW TO SECURE 
 PUBLIC GRAPHQL API? ☠

2. WHO AM I? ▸ Michał Taszycki (@mehowte) ▸ 16 years

   of programming experience ▸ I can teach you to be better at programming ▸ GraphQL Mastery ▸ Kurs Reacta ▸ 64bites (Commodore 64 assembly) ▸ Organizer of Festiwal React.js i GraphQL conference

3. GraphQL.pl/meetjs SOURCE CODE, TOOLS, SLIDES, LINKS & 🎁

4. YOU WILL ENJOY 
 THIS PRESENTATION

5. YOU WILL ENJOY 
 THIS PRESENTATION IF…

6. YOU WILL ENJOY IT IF… ‣ You know fundamentals of

   GraphQL ‣ You want to create your fi rst public GraphQL server ‣ You don’t believe it’s possible to secure a public GraphQL server

7. ‣ You know everything about GraphQL ‣ You can handle

   Brute Force i DOS/DDOS attacks ‣ You are not interested in GraphQL? (duh) ‣ You believe that REST API is always better than GraphQL YOU MIGHT NOT ENJOY IT IF…

8. THOSE ARE THE FACTS

9. GRAPHQL IS BETTER THAN REST API

10. GRAPHQL IS BETTER THAN REST API

11. BUT…

12. None

13. IT’S HARDER TO SECURE

14. SECURING ANY API = BOOK-SIZE TOPIC

15. LET’S FOCUS ON 2 KINDS OF ATTACKS

16. …THAT ARE EXTREMELY EASY TO DO IN GRAPHQL

17. 1. DOS/DDOS

18. 1. DOS/DDOS 2. BRUTE FORCE

19. THIS IS OUR SCHEMA

20. WHAT COULD POSSIBLY GO WRONG?

21. WHAT COULD POSSIBLY GO WRONG?

22. LET’S SEE😁

23. 100 USERS EACH ONE HAS JUST 10 FRIENDS

24. 😀

25. 100x 😀

26. WE GET 100 ELEMENTS 100x 😀

27. 😀

28. 100x 😀

29. 100x 10x 🙂

30. WE GET 1000 ELEMENTS 100x 10x 🙂

31. 😀

32. 100x 😀

33. 100x 10x 🙂

34. 100x 10x 10x 😐

35. WE GET 10 000 ELEMENTS 100x 10x 10x 😐

36. 😀

37. 100x 😀

38. 100x 10x 🙂

39. 100x 10x 10x 😐

40. 100x 10x 10x 10x 🙁

41. 100x 10x 10x 10x 10x 😳

42. WE GET 1 000 000 ELEMENTS 100x 10x 10x 10x

    10x 😱

43. YOU DON’T NEED DDOS IN GRAPHQL

44. ONE SIMPLE QUERY = DENIAL OF SERVICE

45. WHAT CAN WE DO ABOUT IT?

46. LIMIT DEPTH OF A QUERY

47. …

48. None

49. 😀

50. OK BUT WHAT IF…?

51. 10000 USERS EACH ONE HAS 1000 FRIENDS

52. 😀

53. 10 000x 😐

54. 1000x 10 000x 😳

55. WE GET 10 000 000 ELEMENTS 1000x 10 000x 😱

56. WHAT CAN WE DO ABOUT IT?

57. USE PAGINATION

58. 1. ADD A NEW SCALAR TYPE

59. 2. ADD PAGINATION IN SCHEMA

60. 2. ADD PAGINATION IN SCHEMA

61. 3. HANDLE PAGINATION IN RESOLVERS

62. 3. HANDLE PAGINATION IN RESOLVERS

63. 😀

64. 😀 10x

65. 😀 10x 10x

66. 🙂 10x 10x 10x

67. 10x 10x 10x 10x 😐

68. WE GET 10 000 ELEMENTS 10x 10x 10x 10x 😐

69. WE CAN RELAX 
 DEPTH LIMIT (BUT NOT ELIMINATE IT)

70. OK BUT WHAT IF…?

71. ONE TRIES TO EXCEED PAGE SIZE?

72. None

73. NOTHING! WE’RE GOOD 😃

74. OK BUT WHAT IF…?

75. ONE USES ALIASES?

76. 😀 …

77. 😀 … 10x

78. 😀 … 10x 10x

79. 😀 … 10x 10x +

80. 😀 … 10x 10x + 10x 10x

81. 😀 … 10x 10x + 10x 10x + 10x 10x

82. 😮 …

83. 🥺 … 10x 10x

84. 😢 … 10x 10x + 10x 10x

85. 😰 … 10x 10x + 10x 10x + 10x 10x

86. 😭 … (10x10) x 1 000 000

87. 🤯 … WE GET 100 000 000 ELEMENTS

88. IF THAT DOESN’T SCARE YOU YET

89. ALIASES ALLOW 
 ANOTHER KIND OF ATTACK…

90. BRUTE FORCE

91. CONSIDER THIS SCHEMA

92. 1. I DON’T REMEMBER MY PASSWORD

93. 1. I DON’T REMEMBER MY PASSWORD

94. 2. I ASK FOR RESET TOKEN

95. 2. I ASK FOR RESET TOKEN

96. 3. I GET THE TOKEN

97. 4. I CHANGE THE PASSWORD

98. 4. I CHANGE THE PASSWORD

99. 5. I LOG IN

100. 5. I LOG IN

101. IS IT SAFE?

102. IS IT SAFE?

103. SURE! YOU CAN’T CHANGE PASSWORD WITHOUT AN EMAIL AND TOKEN

     😏

104. OK BUT WHAT IF…?

105. YOU HAVE AN EMAIL & YOU CAN GUESS THE TOKEN

     🤔

106. 1. LET’S GUESS

107. 1. LET’S GUESS

108. 1. LET’S GUESS

109. 1. LET’S GUESS

110. 2. LET’S LOG IN

111. 2. LET’S LOG IN

112. WHAT CAN WE DO ABOUT IT?

113. 1. GENERATE SAFER TOKENS

114. NOT THIS WAY! 1. GENERATE SAFER TOKENS

115. 1. GENERATE SAFER TOKENS NOT THIS WAY!

116. 🤡 1. GENERATE SAFER TOKENS NOT THIS WAY!

117. 2. MAKE BRUTE FORCE HARDER

118. QUERY COST ANALYSIS

119. QUERY COST ANALYSIS

120. QUERY COST ANALYSIS

121. COST DIRECTIVE

122. MULTIPLY COST BY PAGE SIZE

123. MULTIPLY COST BY PAGE SIZE

124. INCREASE COST OF DANGEROUS OPERATIONS

125. 😀

126. 😀

127. 😀

128. 😀

129. 😀

130. 😀

131. OK BUT WHAT IF…?

132. ONE TRIES TO EXECUTE MULTIPLE QUERIES?

133. WE RATE LIMIT THEM

134. EITHER AT THE HTTP SERVER (SAME AS WITH REST API)

135. OR AT THE GRAPHQL SERVER

136. ADD THE RATE LIMIT DIRECTIVE

137. ADD SOME KIND OF A CLIENT ID TO THE CONTEXT

138. CONFIGURE THE RATE LIMIT DIRECTIVE

139. DEFINE RATE LIMIT DIRECTIVE IN SCHEMA

140. LIMIT RATE OF EXECUTION (FOR ANY QUERY OR MUTATION)

141. None

142. 😀

143. 2 SECONDS LATER

144. 😀 2 SECONDS LATER

145. THAT’S ENOUGH 
 …

146. THAT’S ENOUGH 
 TO MAKE GRAPHQL AS SECURE AS REST

147. 1.LIMIT DEPTH

148. 1.LIMIT DEPTH 2.PAGINATE DATA

149. 1.LIMIT DEPTH 2.PAGINATE DATA 3.LIMIT RATE

150. 1.LIMIT DEPTH 2.PAGINATE DATA 3.LIMIT RATE 4.ANALYZE COST (OPTIONAL)

151. ONE MORE THING…

152. MONITOR YOUR TRAFFIC! (YOU NEED TO KNOW WHO, WHEN AND

     HOW ATTACKS YOU)

153. NEED MORE RESOURCES?

154. OWASP - GRAPHQL CHEAT SHEET

155. MACIEJ KOFEL - HACKOWANIE GRAPHQL PRESENTATION (IN POLISH)

156. USE MEETJS CODE TO GET 20% DISCOUNT ALL RECORDED TALKS

     (IN POLISH)

157. 7-WEEK ONLINE COURSE ON FULL-STACK GRAPHQL (ALSO IN POLISH) NEW

     EDITION 
 STARTS SOON

158. ANY QUESTIONS? Q&A GraphQL.pl/meetjs

159. ANY QUESTIONS? Q&A GraphQL.pl/meetjs

160. ANY QUESTIONS? Q&A GraphQL.pl/meetjs