WHO AM I?
▸ Michał Taszycki (@mehowte)
▸ 16 years of programming experience
▸ I can teach you to be better at programming
▸ GraphQL Mastery
▸ Kurs Reacta
▸ 64bites (Commodore 64 assembly)
▸ Organizer of Festiwal React.js i GraphQL
conference
YOU WILL ENJOY IT IF…
‣ You know fundamentals of GraphQL
‣ You want to create your
fi
rst public GraphQL server
‣ You don’t believe it’s possible to secure a public GraphQL server
Slide 7
Slide 7 text
‣ You know everything about GraphQL
‣ You can handle Brute Force i DOS/DDOS attacks
‣ You are not interested in GraphQL? (duh)
‣ You believe that REST API is always better than GraphQL
YOU MIGHT NOT ENJOY IT IF…
Slide 8
Slide 8 text
THOSE ARE THE FACTS
Slide 9
Slide 9 text
GRAPHQL
IS BETTER THAN
REST API
Slide 10
Slide 10 text
GRAPHQL
IS BETTER THAN
REST API
Slide 11
Slide 11 text
BUT…
Slide 12
Slide 12 text
No content
Slide 13
Slide 13 text
IT’S HARDER TO SECURE
Slide 14
Slide 14 text
SECURING ANY API
=
BOOK-SIZE TOPIC
Slide 15
Slide 15 text
LET’S FOCUS ON
2 KINDS
OF ATTACKS
Slide 16
Slide 16 text
…THAT ARE
EXTREMELY EASY TO DO
IN GRAPHQL
Slide 17
Slide 17 text
1. DOS/DDOS
Slide 18
Slide 18 text
1. DOS/DDOS
2. BRUTE FORCE
Slide 19
Slide 19 text
THIS IS OUR SCHEMA
Slide 20
Slide 20 text
WHAT COULD POSSIBLY GO WRONG?
Slide 21
Slide 21 text
WHAT COULD POSSIBLY GO WRONG?
Slide 22
Slide 22 text
LET’S SEE😁
Slide 23
Slide 23 text
100 USERS
EACH ONE HAS JUST 10 FRIENDS
Slide 24
Slide 24 text
😀
Slide 25
Slide 25 text
100x
😀
Slide 26
Slide 26 text
WE GET 100 ELEMENTS
100x
😀
Slide 27
Slide 27 text
😀
Slide 28
Slide 28 text
100x 😀
Slide 29
Slide 29 text
100x
10x
🙂
Slide 30
Slide 30 text
WE GET 1000 ELEMENTS
100x
10x
🙂
Slide 31
Slide 31 text
😀
Slide 32
Slide 32 text
100x
😀
Slide 33
Slide 33 text
100x
10x 🙂
Slide 34
Slide 34 text
100x
10x
10x
😐
Slide 35
Slide 35 text
WE GET 10 000 ELEMENTS
100x
10x
10x
😐
Slide 36
Slide 36 text
😀
Slide 37
Slide 37 text
100x
😀
Slide 38
Slide 38 text
100x
10x
🙂
Slide 39
Slide 39 text
100x
10x
10x 😐
Slide 40
Slide 40 text
100x
10x
10x
10x
🙁
Slide 41
Slide 41 text
100x
10x
10x
10x
10x
😳
Slide 42
Slide 42 text
WE GET 1 000 000 ELEMENTS
100x
10x
10x
10x
10x
😱
Slide 43
Slide 43 text
YOU DON’T NEED
DDOS IN GRAPHQL
Slide 44
Slide 44 text
ONE SIMPLE QUERY
=
DENIAL OF SERVICE
Slide 45
Slide 45 text
WHAT CAN WE DO
ABOUT IT?
Slide 46
Slide 46 text
LIMIT DEPTH OF
A QUERY
Slide 47
Slide 47 text
…
Slide 48
Slide 48 text
No content
Slide 49
Slide 49 text
😀
Slide 50
Slide 50 text
OK
BUT WHAT IF…?
Slide 51
Slide 51 text
10000 USERS
EACH ONE HAS 1000 FRIENDS
Slide 52
Slide 52 text
😀
Slide 53
Slide 53 text
10 000x 😐
Slide 54
Slide 54 text
1000x
10 000x 😳
Slide 55
Slide 55 text
WE GET 10 000 000 ELEMENTS
1000x
10 000x 😱
Slide 56
Slide 56 text
WHAT CAN WE DO
ABOUT IT?
Slide 57
Slide 57 text
USE PAGINATION
Slide 58
Slide 58 text
1. ADD A NEW SCALAR TYPE
Slide 59
Slide 59 text
2. ADD PAGINATION IN SCHEMA
Slide 60
Slide 60 text
2. ADD PAGINATION IN SCHEMA
Slide 61
Slide 61 text
3. HANDLE PAGINATION IN RESOLVERS
Slide 62
Slide 62 text
3. HANDLE PAGINATION IN RESOLVERS
Slide 63
Slide 63 text
😀
Slide 64
Slide 64 text
😀
10x
Slide 65
Slide 65 text
😀
10x
10x
Slide 66
Slide 66 text
🙂
10x
10x
10x
Slide 67
Slide 67 text
10x
10x
10x
10x
😐
Slide 68
Slide 68 text
WE GET 10 000 ELEMENTS
10x
10x
10x
10x
😐
Slide 69
Slide 69 text
WE CAN RELAX
DEPTH LIMIT
(BUT NOT ELIMINATE IT)
Slide 70
Slide 70 text
OK
BUT WHAT IF…?
Slide 71
Slide 71 text
ONE TRIES TO
EXCEED PAGE SIZE?
Slide 72
Slide 72 text
No content
Slide 73
Slide 73 text
NOTHING! WE’RE GOOD 😃
Slide 74
Slide 74 text
OK
BUT WHAT IF…?
Slide 75
Slide 75 text
ONE USES
ALIASES?
Slide 76
Slide 76 text
😀
…
Slide 77
Slide 77 text
😀
…
10x
Slide 78
Slide 78 text
😀
…
10x
10x
Slide 79
Slide 79 text
😀
…
10x
10x
+
Slide 80
Slide 80 text
😀
…
10x
10x
+
10x
10x
Slide 81
Slide 81 text
😀
…
10x
10x
+
10x
10x
+
10x
10x
Slide 82
Slide 82 text
😮
…
Slide 83
Slide 83 text
🥺
…
10x
10x
Slide 84
Slide 84 text
😢
…
10x
10x
+
10x
10x
Slide 85
Slide 85 text
😰
…
10x
10x
+
10x
10x
+
10x
10x
Slide 86
Slide 86 text
😭
…
(10x10) x 1 000 000
Slide 87
Slide 87 text
🤯
…
WE GET 100 000 000 ELEMENTS
Slide 88
Slide 88 text
IF THAT DOESN’T
SCARE YOU YET
Slide 89
Slide 89 text
ALIASES ALLOW
ANOTHER KIND OF
ATTACK…
Slide 90
Slide 90 text
BRUTE FORCE
Slide 91
Slide 91 text
CONSIDER THIS SCHEMA
Slide 92
Slide 92 text
1. I DON’T REMEMBER MY PASSWORD
Slide 93
Slide 93 text
1. I DON’T REMEMBER MY PASSWORD
Slide 94
Slide 94 text
2. I ASK FOR RESET TOKEN
Slide 95
Slide 95 text
2. I ASK FOR RESET TOKEN
Slide 96
Slide 96 text
3. I GET THE TOKEN
Slide 97
Slide 97 text
4. I CHANGE THE PASSWORD
Slide 98
Slide 98 text
4. I CHANGE THE PASSWORD
Slide 99
Slide 99 text
5. I LOG IN
Slide 100
Slide 100 text
5. I LOG IN
Slide 101
Slide 101 text
IS IT SAFE?
Slide 102
Slide 102 text
IS IT SAFE?
Slide 103
Slide 103 text
SURE!
YOU CAN’T CHANGE PASSWORD
WITHOUT AN EMAIL AND TOKEN
😏
Slide 104
Slide 104 text
OK
BUT WHAT IF…?
Slide 105
Slide 105 text
YOU HAVE AN EMAIL
&
YOU CAN GUESS THE TOKEN
🤔
Slide 106
Slide 106 text
1. LET’S GUESS
Slide 107
Slide 107 text
1. LET’S GUESS
Slide 108
Slide 108 text
1. LET’S GUESS
Slide 109
Slide 109 text
1. LET’S GUESS
Slide 110
Slide 110 text
2. LET’S LOG IN
Slide 111
Slide 111 text
2. LET’S LOG IN
Slide 112
Slide 112 text
WHAT CAN WE DO
ABOUT IT?
Slide 113
Slide 113 text
1. GENERATE SAFER TOKENS
Slide 114
Slide 114 text
NOT THIS WAY!
1. GENERATE SAFER TOKENS
Slide 115
Slide 115 text
1. GENERATE SAFER TOKENS
NOT THIS WAY!
Slide 116
Slide 116 text
🤡
1. GENERATE SAFER TOKENS
NOT THIS WAY!
Slide 117
Slide 117 text
2. MAKE BRUTE FORCE HARDER
Slide 118
Slide 118 text
QUERY COST ANALYSIS
Slide 119
Slide 119 text
QUERY COST ANALYSIS
Slide 120
Slide 120 text
QUERY COST ANALYSIS
Slide 121
Slide 121 text
COST DIRECTIVE
Slide 122
Slide 122 text
MULTIPLY COST BY PAGE SIZE
Slide 123
Slide 123 text
MULTIPLY COST BY PAGE SIZE
Slide 124
Slide 124 text
INCREASE COST OF DANGEROUS OPERATIONS
Slide 125
Slide 125 text
😀
Slide 126
Slide 126 text
😀
Slide 127
Slide 127 text
😀
Slide 128
Slide 128 text
😀
Slide 129
Slide 129 text
😀
Slide 130
Slide 130 text
😀
Slide 131
Slide 131 text
OK
BUT WHAT IF…?
Slide 132
Slide 132 text
ONE TRIES TO EXECUTE
MULTIPLE QUERIES?
Slide 133
Slide 133 text
WE RATE LIMIT THEM
Slide 134
Slide 134 text
EITHER AT THE HTTP SERVER
(SAME AS WITH REST API)
Slide 135
Slide 135 text
OR AT THE GRAPHQL SERVER
Slide 136
Slide 136 text
ADD THE RATE LIMIT DIRECTIVE
Slide 137
Slide 137 text
ADD SOME KIND OF A CLIENT ID TO THE CONTEXT
Slide 138
Slide 138 text
CONFIGURE THE RATE LIMIT DIRECTIVE
Slide 139
Slide 139 text
DEFINE RATE LIMIT DIRECTIVE IN SCHEMA
Slide 140
Slide 140 text
LIMIT RATE OF EXECUTION
(FOR ANY QUERY OR MUTATION)
Slide 141
Slide 141 text
No content
Slide 142
Slide 142 text
😀
Slide 143
Slide 143 text
2 SECONDS LATER
Slide 144
Slide 144 text
😀
2 SECONDS LATER
Slide 145
Slide 145 text
THAT’S ENOUGH
…
Slide 146
Slide 146 text
THAT’S ENOUGH
TO MAKE GRAPHQL
AS SECURE AS REST
Slide 147
Slide 147 text
1.LIMIT DEPTH
Slide 148
Slide 148 text
1.LIMIT DEPTH
2.PAGINATE DATA
Slide 149
Slide 149 text
1.LIMIT DEPTH
2.PAGINATE DATA
3.LIMIT RATE
Slide 150
Slide 150 text
1.LIMIT DEPTH
2.PAGINATE DATA
3.LIMIT RATE
4.ANALYZE COST (OPTIONAL)
Slide 151
Slide 151 text
ONE MORE THING…
Slide 152
Slide 152 text
MONITOR YOUR TRAFFIC!
(YOU NEED TO KNOW WHO, WHEN AND HOW ATTACKS YOU)
Slide 153
Slide 153 text
NEED MORE
RESOURCES?
Slide 154
Slide 154 text
OWASP - GRAPHQL CHEAT SHEET
Slide 155
Slide 155 text
MACIEJ KOFEL - HACKOWANIE GRAPHQL
PRESENTATION (IN POLISH)
Slide 156
Slide 156 text
USE MEETJS CODE TO GET
20% DISCOUNT
ALL RECORDED TALKS (IN POLISH)
Slide 157
Slide 157 text
7-WEEK ONLINE COURSE ON FULL-STACK GRAPHQL
(ALSO IN POLISH)
NEW EDITION
STARTS SOON