Slide 1

Slide 1 text

GRAPHQL Hacking Presented by Anugrah SR

Slide 2

Slide 2 text

ANUGRAH S R Cyber Security consultant and Security Researcher Bugbounty Hunter Synack Red Team Member Hacked and secured multiple organisations including Apple, Redbull, Sony, Dell, Netflix and many more Twitter: @cyph3r_asr | LinkedIn: anugrah-sr Blog: www.anugrahsr.in Connect with me

Slide 3

Slide 3 text

AGENDA What is GraphQL? Why GraphQL? Reconnaissance / Discovery Hacking GraphQL

Slide 4

Slide 4 text

Bug bounty hunter: $$$$ Pentester/ VAPT: Amazing finding to your report Developer : Make your app more secure

Slide 5

Slide 5 text

‌ GraphQL is an open-source data query language and data manipulation language for APIs, and a query runtime engine. GraphQL is a query language that was created by Facebook and made public in 2015. It offers an alternative to using REST APIs for data retrieval.‌ ‌

Slide 6

Slide 6 text

‌ GraphQL was created for more flexible and efficient API development. It addresses the limitations and challenges of REST APIs. GraphQL provides greater flexibility compared to REST APIs. REST APIs require multiple round trips to the server to fetch data. GraphQL solves the need for multiple round trips to the server by allowing developers to specify the data they need in a single request. Why GraphQL?

Slide 7

Slide 7 text

REST vs GraphQL

Slide 8

Slide 8 text

Avoid Over- and Underfetching: we only fetch what we need from the server by constructing our query to only include what we need. Prevent multiple API calls: In case you need more data, you can also avoid making multiple calls to your API. In the case above, you don't need to make 2 API calls to fetch /order and /product separately. API Versioning: When the need for new features arises, you can easily add additional fields, queries, mutations, etc. to the server without affecting other parts of the application. Additionally, it is easier to remove old features. Self-documenting: Every GraphQL API conforms to a "schema" which is the graph data model and what kinds of queries a client can make. Why GraphQL?

Slide 9

Slide 9 text

Who is using GraphQL?

Slide 10

Slide 10 text

/graphql /graphql/console /graphql.php /graphiql.php /explorer /altair /playground Reconnaissance / Discovery https://github.com/danielmiessler/SecLists/blob/master/Discovery/Web-Content/graphql.txt

Slide 11

Slide 11 text

Fuzzing ffuf -w graphql.txt -u https://target/FUZZ Reconnaissance / Discovery Nuclei #List of targets nuclei -t graphql-detect.yaml -l target_domains.txt #Single target nuclei -t graphql-detect.yaml -u https://example.com

Slide 12

Slide 12 text

Graphw00f python3 main.py -f -d -t http://localhost:5000 Reconnaissance / Discovery https://github.com/dolevf/graphw00f https://github.com/nicholasaleks/graphql-threat-matrix/ GraphQL Threat Matrix Other tools for discovery goctopus graphinder

Slide 13

Slide 13 text

Introspection Query: Special type of query that can be used to retrieve the schema for a GraphQL API. This schema defines the types of data that the API can return, available fields for those types and the arguments that can be passed to those fields. Generating documentation for an API Helping to debug an issue with the schema. Where is the API documentation? What all API functions exist? query { __schema { types { name fields { name type { name kind } } } } }

Slide 14

Slide 14 text

GraphQL Voyager Schema visualization https://ivangoncharov.github.io/graphql-voyager/

Slide 15

Slide 15 text

clairvoyance What if Introspection query is disabled ? https://github.com/nikitastupin/clairvoyance Let's abuse GraphQL have a feature for fields and operations suggestions.

Slide 16

Slide 16 text

Burp Suite GraphQL Rider inQL Browser Extension Altair Recommended Tools/Extensions

Slide 17

Slide 17 text

GraphQL Operations

Slide 18

Slide 18 text

GraphQL Operations

Slide 19

Slide 19 text

GraphQL is soo good! or is it?

Slide 20

Slide 20 text

Information Disclosure

Slide 21

Slide 21 text

Information Disclosure - High

Slide 22

Slide 22 text

https://hackerone.com/reports/419883

Slide 23

Slide 23 text

https://www.vulnmachines.com http://hackme3.vulnmachines.com:8088/ HANDS-ON TIME

Slide 24

Slide 24 text

Denial of Service (DOS) Resource Intensive Query Attack Batch Query Attack Aliases based Attack Field Duplication Attack Deep Recursion Query Attack Unrestricted Resource Consumption

Slide 25

Slide 25 text

Server Side Request Forgery (SSRF) Allows an attacker to induce the server-side application to make requests to an unintended location.

Slide 26

Slide 26 text

Broken Object Level Authorization (BOLA) Broken Object Level Authorization, formerly Insecure Direct Object Reference (IDOR), remains the most significant risk for APIs, as it did in 2019.

Slide 27

Slide 27 text

Broken Authentication Authentication is “broken” when attackers are able to compromise passwords, keys or session tokens, user account information, and other details to assume user identities.

Slide 28

Slide 28 text

Broken Object Property Level Authorization (BOPLA) It is crucial to verify that a user has the authorization to access the specific fields of a GraphQL object they are attempting to reach via the API. BOPLA is a new addition that combines the 2019 list’s Excess Data Exposure and Mass Assignment. recentLocation

Slide 29

Slide 29 text

Broken Function Level Authorization (BFLA) BFLA emphasizing the importance of proper logging and monitoring. It refers to a permission IDOR, whereby a regular user can perform an administrator-level task. An attacker could exploit a BFLA vulnerability to ban other users, whereas normally only a moderator can.

Slide 30

Slide 30 text

Lack of Protection from Automated Threats Developers should know this risk and implement measures to prevent excessive automated access to their business-sensitive API endpoints. Implement rate limiting, user behavior analysis, and CAPTCHAs to protect your API from excessive automated access.

Slide 31

Slide 31 text

Improper Inventory Management Developers should ensure they clearly understand their API inventory and maintain thorough documentation. Security by obscurity, a DevSecOps decides to close introspection from the production environment,but they keep it open on the public staging environment Introspection enabled: https://target.com - ❌ https://dev.target.com - ✅ https://staging.target.com - ✅ https://uat.taget.com - ✅

Slide 32

Slide 32 text

Injection Attacks An attacker supplies untrusted input to a program. This input gets processed by an interpreter as part of a command or query. In turn, this alters the execution of that program. OS Command Injection

Slide 33

Slide 33 text

Injection Attacks An attacker supplies untrusted input to a program. This input gets processed by an interpreter as part of a command or query. In turn, this alters the execution of that program. Stored XSS

Slide 34

Slide 34 text

Injection Attacks An attacker supplies untrusted input to a program. This input gets processed by an interpreter as part of a command or query. In turn, this alters the execution of that program. SQL Injection

Slide 35

Slide 35 text

Resources Blogs https://github.com/Escape-Technologies/awesome-graphql-security https://www.acceis.fr/graphql-for-pentesters/ https://anugrahsr.in/graphql-pentesting-for-dummies_part1 https://anugrahsr.in/graphql-pentesting-for-dummies_part2 https://blog.postman.com/owasp-api-security-top-10-2023-and-graphql/ https://anmolksachan.github.io/graphql/ Labs https://github.com/dolevf/Damn-Vulnerable-GraphQL-Application https://github.com/InsiderPhD/Generic-University

Slide 36

Slide 36 text

No content

Slide 37

Slide 37 text

EHACKIFY-100-OFF EHACKIFY-90-OFF For all exams. - 90% discount. Till Sunday.