Upgrade to Pro — share decks privately, control downloads, hide ads and more …

How to secure Public GraphQL API

How to secure Public GraphQL API

With great power comes great responsibility.
-- Benjamin Franklin Parker

GraphQL allows you to craft complicated queries with ease.
It does make mobile and web developers' jobs simpler.

Unfortunately, hackers also like to use and abuse it.

This presentation will show you how easy it is to execute Denial of Service and Brute Force attacks in GraphQL.
Don't worry, you'll also learn how to protect your API against them.

85977ebfe59c2ee669f2196930f1a701?s=128

Michał Taszycki

July 22, 2021
Tweet

Transcript

  1. HOW TO SECURE 
 PUBLIC GRAPHQL API? ☠

  2. WHO AM I? ▸ Michał Taszycki (@mehowte) ▸ 16 years

    of programming experience ▸ I can teach you to be better at programming ▸ GraphQL Mastery ▸ Kurs Reacta ▸ 64bites (Commodore 64 assembly) ▸ Organizer of Festiwal React.js i GraphQL conference
  3. GraphQL.pl/meetjs SOURCE CODE, TOOLS, SLIDES, LINKS & 🎁

  4. YOU WILL ENJOY 
 THIS PRESENTATION

  5. YOU WILL ENJOY 
 THIS PRESENTATION IF…

  6. YOU WILL ENJOY IT IF… ‣ You know fundamentals of

    GraphQL ‣ You want to create your fi rst public GraphQL server ‣ You don’t believe it’s possible to secure a public GraphQL server
  7. ‣ You know everything about GraphQL ‣ You can handle

    Brute Force i DOS/DDOS attacks ‣ You are not interested in GraphQL? (duh) ‣ You believe that REST API is always better than GraphQL YOU MIGHT NOT ENJOY IT IF…
  8. THOSE ARE THE FACTS

  9. GRAPHQL IS BETTER THAN REST API

  10. GRAPHQL IS BETTER THAN REST API

  11. BUT…

  12. None
  13. IT’S HARDER TO SECURE

  14. SECURING ANY API = BOOK-SIZE TOPIC

  15. LET’S FOCUS ON 2 KINDS OF ATTACKS

  16. …THAT ARE EXTREMELY EASY TO DO IN GRAPHQL

  17. 1. DOS/DDOS

  18. 1. DOS/DDOS 2. BRUTE FORCE

  19. THIS IS OUR SCHEMA

  20. WHAT COULD POSSIBLY GO WRONG?

  21. WHAT COULD POSSIBLY GO WRONG?

  22. LET’S SEE😁

  23. 100 USERS EACH ONE HAS JUST 10 FRIENDS

  24. 😀

  25. 100x 😀

  26. WE GET 100 ELEMENTS 100x 😀

  27. 😀

  28. 100x 😀

  29. 100x 10x 🙂

  30. WE GET 1000 ELEMENTS 100x 10x 🙂

  31. 😀

  32. 100x 😀

  33. 100x 10x 🙂

  34. 100x 10x 10x 😐

  35. WE GET 10 000 ELEMENTS 100x 10x 10x 😐

  36. 😀

  37. 100x 😀

  38. 100x 10x 🙂

  39. 100x 10x 10x 😐

  40. 100x 10x 10x 10x 🙁

  41. 100x 10x 10x 10x 10x 😳

  42. WE GET 1 000 000 ELEMENTS 100x 10x 10x 10x

    10x 😱
  43. YOU DON’T NEED DDOS IN GRAPHQL

  44. ONE SIMPLE QUERY = DENIAL OF SERVICE

  45. WHAT CAN WE DO ABOUT IT?

  46. LIMIT DEPTH OF A QUERY

  47. None
  48. 😀

  49. OK BUT WHAT IF…?

  50. 10000 USERS EACH ONE HAS 1000 FRIENDS

  51. 😀

  52. 10 000x 😐

  53. 1000x 10 000x 😳

  54. WE GET 10 000 000 ELEMENTS 1000x 10 000x 😱

  55. WHAT CAN WE DO ABOUT IT?

  56. USE PAGINATION

  57. 1. ADD A NEW SCALAR TYPE

  58. 2. ADD PAGINATION IN SCHEMA

  59. 2. ADD PAGINATION IN SCHEMA

  60. 3. HANDLE PAGINATION IN RESOLVERS

  61. 3. HANDLE PAGINATION IN RESOLVERS

  62. 😀

  63. 😀 10x

  64. 😀 10x 10x

  65. 🙂 10x 10x 10x

  66. 10x 10x 10x 10x 😐

  67. WE GET 10 000 ELEMENTS 10x 10x 10x 10x 😐

  68. WE CAN RELAX 
 DEPTH LIMIT (BUT NOT ELIMINATE IT)

  69. OK BUT WHAT IF…?

  70. ONE TRIES TO EXCEED PAGE SIZE?

  71. None
  72. NOTHING! WE’RE GOOD 😃

  73. OK BUT WHAT IF…?

  74. ONE USES ALIASES?

  75. 😀 …

  76. 😀 … 10x

  77. 😀 … 10x 10x

  78. 😀 … 10x 10x +

  79. 😀 … 10x 10x + 10x 10x

  80. 😀 … 10x 10x + 10x 10x + 10x 10x

  81. 😮 …

  82. 🥺 … 10x 10x

  83. 😢 … 10x 10x + 10x 10x

  84. 😰 … 10x 10x + 10x 10x + 10x 10x

  85. 😭 … (10x10) x 1 000 000

  86. 🤯 … WE GET 100 000 000 ELEMENTS

  87. IF THAT DOESN’T SCARE YOU YET

  88. ALIASES ALLOW 
 ANOTHER KIND OF ATTACK…

  89. BRUTE FORCE

  90. CONSIDER THIS SCHEMA

  91. 1. I DON’T REMEMBER MY PASSWORD

  92. 1. I DON’T REMEMBER MY PASSWORD

  93. 2. I ASK FOR RESET TOKEN

  94. 2. I ASK FOR RESET TOKEN

  95. 3. I GET THE TOKEN

  96. 4. I CHANGE THE PASSWORD

  97. 4. I CHANGE THE PASSWORD

  98. 5. I LOG IN

  99. 5. I LOG IN

  100. IS IT SAFE?

  101. IS IT SAFE?

  102. SURE! YOU CAN’T CHANGE PASSWORD WITHOUT AN EMAIL AND TOKEN

    😏
  103. OK BUT WHAT IF…?

  104. YOU HAVE AN EMAIL & YOU CAN GUESS THE TOKEN

    🤔
  105. 1. LET’S GUESS

  106. 1. LET’S GUESS

  107. 1. LET’S GUESS

  108. 1. LET’S GUESS

  109. 2. LET’S LOG IN

  110. 2. LET’S LOG IN

  111. WHAT CAN WE DO ABOUT IT?

  112. 1. GENERATE SAFER TOKENS

  113. NOT THIS WAY! 1. GENERATE SAFER TOKENS

  114. 1. GENERATE SAFER TOKENS NOT THIS WAY!

  115. 🤡 1. GENERATE SAFER TOKENS NOT THIS WAY!

  116. 2. MAKE BRUTE FORCE HARDER

  117. QUERY COST ANALYSIS

  118. QUERY COST ANALYSIS

  119. QUERY COST ANALYSIS

  120. COST DIRECTIVE

  121. MULTIPLY COST BY PAGE SIZE

  122. MULTIPLY COST BY PAGE SIZE

  123. INCREASE COST OF DANGEROUS OPERATIONS

  124. 😀

  125. 😀

  126. 😀

  127. 😀

  128. 😀

  129. 😀

  130. OK BUT WHAT IF…?

  131. ONE TRIES TO EXECUTE MULTIPLE QUERIES?

  132. WE RATE LIMIT THEM

  133. EITHER AT THE HTTP SERVER (SAME AS WITH REST API)

  134. OR AT THE GRAPHQL SERVER

  135. ADD THE RATE LIMIT DIRECTIVE

  136. ADD SOME KIND OF A CLIENT ID TO THE CONTEXT

  137. CONFIGURE THE RATE LIMIT DIRECTIVE

  138. DEFINE RATE LIMIT DIRECTIVE IN SCHEMA

  139. LIMIT RATE OF EXECUTION (FOR ANY QUERY OR MUTATION)

  140. None
  141. 😀

  142. 2 SECONDS LATER

  143. 😀 2 SECONDS LATER

  144. THAT’S ENOUGH 
 …

  145. THAT’S ENOUGH 
 TO MAKE GRAPHQL AS SECURE AS REST

  146. 1.LIMIT DEPTH

  147. 1.LIMIT DEPTH 2.PAGINATE DATA

  148. 1.LIMIT DEPTH 2.PAGINATE DATA 3.LIMIT RATE

  149. 1.LIMIT DEPTH 2.PAGINATE DATA 3.LIMIT RATE 4.ANALYZE COST (OPTIONAL)

  150. ONE MORE THING…

  151. MONITOR YOUR TRAFFIC! (YOU NEED TO KNOW WHO, WHEN AND

    HOW ATTACKS YOU)
  152. NEED MORE RESOURCES?

  153. OWASP - GRAPHQL CHEAT SHEET

  154. MACIEJ KOFEL - HACKOWANIE GRAPHQL PRESENTATION (IN POLISH)

  155. USE MEETJS CODE TO GET 20% DISCOUNT ALL RECORDED TALKS

    (IN POLISH)
  156. 7-WEEK ONLINE COURSE ON FULL-STACK GRAPHQL (ALSO IN POLISH) NEW

    EDITION 
 STARTS SOON
  157. ANY QUESTIONS? Q&A GraphQL.pl/meetjs

  158. ANY QUESTIONS? Q&A GraphQL.pl/meetjs

  159. ANY QUESTIONS? Q&A GraphQL.pl/meetjs