Slide 1

Slide 1 text

O F F E N S I V E G R A P H Q L A P I E X P L O I T A T I O N A R U N . S

Slide 2

Slide 2 text

whoami Query whoami { Arun.S Senior Security Consultant @ IBM India Software Labs. Speaker at Conferences and Communities like c0c0n Bsides Delhi, Null/OWASP. Null Bangalore Chapter Lead, Member of OWASP & BSides Bangalore. Certified – OSCP, eWPT,ECSA etc., }

Slide 3

Slide 3 text

GraphQL • GraphQL is open sourced by Facebook. • GraphQL is a query language for APIs - not databases. • GraphQL is often confused with being a database technology. • GraphQL server only exposes a single endpoint. Howtographql.com

Slide 4

Slide 4 text

GraphQL Schema SDL - GraphQL has its own type system that’s used to define the schema of an API. The syntax for writing schemas is called Schema Definition Language (SDL). Queries • Used for retrieving data/results. • Similar to GET in REST. Mutation • Used for some state changing activities. • Similar to POST/PUT/DELETE. Subscriptions • Used for Events/Realtime Updates.

Slide 5

Slide 5 text

Link: https://lighthouse-php.com/tutorial/#what-is-graphql

Slide 6

Slide 6 text

S S T R E N G T H S Strengths GraphQL Architecture is gaining more popularity in the recent days. Some of the reasons I can think of are; • No More Over & UnderFetching. • Simple & Efficient to Use. • Evolve APIs without versioning issues. • Schema Introspection • Adapts to different requirements for different clients. • No Wonder that big Facebook, Shopify, Pinterest, HackerOne etc.,

Slide 7

Slide 7 text

S S T R E N G T H S REST

Slide 8

Slide 8 text

S S T R E N G T H S GraphQL

Slide 9

Slide 9 text

S S T R E N G T H S GraphQL REST

Slide 10

Slide 10 text

W W E A K N E S S E S Weaknesses Every technology has some disadvantages, and Graphql do have few disadvantages. • Query Complexity & Depths. • Rate Limiting & Timeouts. • Caching.

Slide 11

Slide 11 text

O O P P O R T U N I T I E S Opportunity for Hackers • There is a wide scope for the pentesters & bug bounty hunters on GraphQL. • The GraphQL Endpoints like /graphql or /graphiql are still publicly available out there due missing security best practices.

Slide 12

Slide 12 text

O R E C O N - I N T R O S P E C T I O N A L L O W E D queries/ Mutation via schema Endpoint Fuzzing &debug=1

Slide 13

Slide 13 text

O R E C O N T O R E S C U E W H E N I N T R O S P E C T I O N D I S A B L E D Build Queries & Mutations Crawl WebApp Parse JS Files

Slide 14

Slide 14 text

O L O O K F O R T H E A U T H E N T I C A T I O N No- Auth/Pro -tections on Resolvers JWT ACL

Slide 15

Slide 15 text

O T O O L S T O R E S C U E GQL PARSER INQL GRAPHQL VOYAGER

Slide 16

Slide 16 text

O T O O L S T O R E S C U E GRAPHQL VOYAGER

Slide 17

Slide 17 text

O T O O L S T O R E S C U E GQL PARSER

Slide 18

Slide 18 text

O T O O L S T O R E S C U E INQL

Slide 19

Slide 19 text

O L A B S T O P R A C T I C E Pentester Lab GQL Goat Digi Ninja Lab

Slide 20

Slide 20 text

T T H R E A T S Threats!!! GraphQL gives enormous power to clients. But with great power come great responsibilities !!!

Slide 21

Slide 21 text

T T H R E A T S Vulnerabilities!!! Most of all vulnerabilities related to REST APIs & WebApp are applicable for GraphQL as well.

Slide 22

Slide 22 text

No content

Slide 23

Slide 23 text

T T H R E A T S Threats!!! GraphQL is great, because it gives client so much more power. But if not used properly it could cost them more they can imagine.

Slide 24

Slide 24 text

T C O M M O N T H R E A T S T O A V O I D Threats!!! There are many approaches to secure your GraphQL server against these queries, but none of them is bullet proof. It’s important to know what options are available and know their limits and take best decisions out of it!. • Disable well known /graphql & /graphiql endpoints from the domain. • Craft your own schema and avoid using autogenerated SDL which creates queries and mutations. • Input validation, Authentication & Authorization should never be forgotten. • Never trust user inputs. • Enforce a limit on maximum query depth(~<10), Query complexity, timeouts & enabled throttling based on the server time & query complexity.

Slide 25

Slide 25 text

References Labs: • https://github.com/CarveSystems/vulnerable-graphql-api • https://graphqlab.digi.ninja/ • https://pentesterlab.com/exercises/graphql/online • https://www.hackerone.com/blog/graphql-week- hacker101-capture-flag-challenges Tools: • https://github.com/doyensec/inql • https://github.com/br3akp0int/GQLParser

Slide 26

Slide 26 text

Credits Slide Template Credit: https://hislide.io/ Demo App Credit: https://carvesystems.com/

Slide 27

Slide 27 text

Thank youJ