Slide 1

Slide 1 text

HOW TO SECURE 
 PUBLIC GRAPHQL API? ☠

Slide 2

Slide 2 text

WHO AM I? ▸ Michał Taszycki (@mehowte) ▸ 16 years of programming experience ▸ I can teach you to be better at programming ▸ GraphQL Mastery ▸ Kurs Reacta ▸ 64bites (Commodore 64 assembly) ▸ Organizer of Festiwal React.js i GraphQL conference

Slide 3

Slide 3 text

GraphQL.pl/meetjs SOURCE CODE, TOOLS, SLIDES, LINKS & 🎁

Slide 4

Slide 4 text

YOU WILL ENJOY 
 THIS PRESENTATION

Slide 5

Slide 5 text

YOU WILL ENJOY 
 THIS PRESENTATION IF…

Slide 6

Slide 6 text

YOU WILL ENJOY IT IF… ‣ You know fundamentals of GraphQL ‣ You want to create your fi rst public GraphQL server ‣ You don’t believe it’s possible to secure a public GraphQL server

Slide 7

Slide 7 text

‣ You know everything about GraphQL ‣ You can handle Brute Force i DOS/DDOS attacks ‣ You are not interested in GraphQL? (duh) ‣ You believe that REST API is always better than GraphQL YOU MIGHT NOT ENJOY IT IF…

Slide 8

Slide 8 text

THOSE ARE THE FACTS

Slide 9

Slide 9 text

GRAPHQL IS BETTER THAN REST API

Slide 10

Slide 10 text

GRAPHQL IS BETTER THAN REST API

Slide 11

Slide 11 text

BUT…

Slide 12

Slide 12 text

No content

Slide 13

Slide 13 text

IT’S HARDER TO SECURE

Slide 14

Slide 14 text

SECURING ANY API = BOOK-SIZE TOPIC

Slide 15

Slide 15 text

LET’S FOCUS ON 2 KINDS OF ATTACKS

Slide 16

Slide 16 text

…THAT ARE EXTREMELY EASY TO DO IN GRAPHQL

Slide 17

Slide 17 text

1. DOS/DDOS

Slide 18

Slide 18 text

1. DOS/DDOS 2. BRUTE FORCE

Slide 19

Slide 19 text

THIS IS OUR SCHEMA

Slide 20

Slide 20 text

WHAT COULD POSSIBLY GO WRONG?

Slide 21

Slide 21 text

WHAT COULD POSSIBLY GO WRONG?

Slide 22

Slide 22 text

LET’S SEE😁

Slide 23

Slide 23 text

100 USERS EACH ONE HAS JUST 10 FRIENDS

Slide 24

Slide 24 text

😀

Slide 25

Slide 25 text

100x 😀

Slide 26

Slide 26 text

WE GET 100 ELEMENTS 100x 😀

Slide 27

Slide 27 text

😀

Slide 28

Slide 28 text

100x 😀

Slide 29

Slide 29 text

100x 10x 🙂

Slide 30

Slide 30 text

WE GET 1000 ELEMENTS 100x 10x 🙂

Slide 31

Slide 31 text

😀

Slide 32

Slide 32 text

100x 😀

Slide 33

Slide 33 text

100x 10x 🙂

Slide 34

Slide 34 text

100x 10x 10x 😐

Slide 35

Slide 35 text

WE GET 10 000 ELEMENTS 100x 10x 10x 😐

Slide 36

Slide 36 text

😀

Slide 37

Slide 37 text

100x 😀

Slide 38

Slide 38 text

100x 10x 🙂

Slide 39

Slide 39 text

100x 10x 10x 😐

Slide 40

Slide 40 text

100x 10x 10x 10x 🙁

Slide 41

Slide 41 text

100x 10x 10x 10x 10x 😳

Slide 42

Slide 42 text

WE GET 1 000 000 ELEMENTS 100x 10x 10x 10x 10x 😱

Slide 43

Slide 43 text

YOU DON’T NEED DDOS IN GRAPHQL

Slide 44

Slide 44 text

ONE SIMPLE QUERY = DENIAL OF SERVICE

Slide 45

Slide 45 text

WHAT CAN WE DO ABOUT IT?

Slide 46

Slide 46 text

LIMIT DEPTH OF A QUERY

Slide 47

Slide 47 text

Slide 48

Slide 48 text

No content

Slide 49

Slide 49 text

😀

Slide 50

Slide 50 text

OK BUT WHAT IF…?

Slide 51

Slide 51 text

10000 USERS EACH ONE HAS 1000 FRIENDS

Slide 52

Slide 52 text

😀

Slide 53

Slide 53 text

10 000x 😐

Slide 54

Slide 54 text

1000x 10 000x 😳

Slide 55

Slide 55 text

WE GET 10 000 000 ELEMENTS 1000x 10 000x 😱

Slide 56

Slide 56 text

WHAT CAN WE DO ABOUT IT?

Slide 57

Slide 57 text

USE PAGINATION

Slide 58

Slide 58 text

1. ADD A NEW SCALAR TYPE

Slide 59

Slide 59 text

2. ADD PAGINATION IN SCHEMA

Slide 60

Slide 60 text

2. ADD PAGINATION IN SCHEMA

Slide 61

Slide 61 text

3. HANDLE PAGINATION IN RESOLVERS

Slide 62

Slide 62 text

3. HANDLE PAGINATION IN RESOLVERS

Slide 63

Slide 63 text

😀

Slide 64

Slide 64 text

😀 10x

Slide 65

Slide 65 text

😀 10x 10x

Slide 66

Slide 66 text

🙂 10x 10x 10x

Slide 67

Slide 67 text

10x 10x 10x 10x 😐

Slide 68

Slide 68 text

WE GET 10 000 ELEMENTS 10x 10x 10x 10x 😐

Slide 69

Slide 69 text

WE CAN RELAX 
 DEPTH LIMIT (BUT NOT ELIMINATE IT)

Slide 70

Slide 70 text

OK BUT WHAT IF…?

Slide 71

Slide 71 text

ONE TRIES TO EXCEED PAGE SIZE?

Slide 72

Slide 72 text

No content

Slide 73

Slide 73 text

NOTHING! WE’RE GOOD 😃

Slide 74

Slide 74 text

OK BUT WHAT IF…?

Slide 75

Slide 75 text

ONE USES ALIASES?

Slide 76

Slide 76 text

😀 …

Slide 77

Slide 77 text

😀 … 10x

Slide 78

Slide 78 text

😀 … 10x 10x

Slide 79

Slide 79 text

😀 … 10x 10x +

Slide 80

Slide 80 text

😀 … 10x 10x + 10x 10x

Slide 81

Slide 81 text

😀 … 10x 10x + 10x 10x + 10x 10x

Slide 82

Slide 82 text

😮 …

Slide 83

Slide 83 text

🥺 … 10x 10x

Slide 84

Slide 84 text

😢 … 10x 10x + 10x 10x

Slide 85

Slide 85 text

😰 … 10x 10x + 10x 10x + 10x 10x

Slide 86

Slide 86 text

😭 … (10x10) x 1 000 000

Slide 87

Slide 87 text

🤯 … WE GET 100 000 000 ELEMENTS

Slide 88

Slide 88 text

IF THAT DOESN’T SCARE YOU YET

Slide 89

Slide 89 text

ALIASES ALLOW 
 ANOTHER KIND OF ATTACK…

Slide 90

Slide 90 text

BRUTE FORCE

Slide 91

Slide 91 text

CONSIDER THIS SCHEMA

Slide 92

Slide 92 text

1. I DON’T REMEMBER MY PASSWORD

Slide 93

Slide 93 text

1. I DON’T REMEMBER MY PASSWORD

Slide 94

Slide 94 text

2. I ASK FOR RESET TOKEN

Slide 95

Slide 95 text

2. I ASK FOR RESET TOKEN

Slide 96

Slide 96 text

3. I GET THE TOKEN

Slide 97

Slide 97 text

4. I CHANGE THE PASSWORD

Slide 98

Slide 98 text

4. I CHANGE THE PASSWORD

Slide 99

Slide 99 text

5. I LOG IN

Slide 100

Slide 100 text

5. I LOG IN

Slide 101

Slide 101 text

IS IT SAFE?

Slide 102

Slide 102 text

IS IT SAFE?

Slide 103

Slide 103 text

SURE! YOU CAN’T CHANGE PASSWORD WITHOUT AN EMAIL AND TOKEN 😏

Slide 104

Slide 104 text

OK BUT WHAT IF…?

Slide 105

Slide 105 text

YOU HAVE AN EMAIL & YOU CAN GUESS THE TOKEN 🤔

Slide 106

Slide 106 text

1. LET’S GUESS

Slide 107

Slide 107 text

1. LET’S GUESS

Slide 108

Slide 108 text

1. LET’S GUESS

Slide 109

Slide 109 text

1. LET’S GUESS

Slide 110

Slide 110 text

2. LET’S LOG IN

Slide 111

Slide 111 text

2. LET’S LOG IN

Slide 112

Slide 112 text

WHAT CAN WE DO ABOUT IT?

Slide 113

Slide 113 text

1. GENERATE SAFER TOKENS

Slide 114

Slide 114 text

NOT THIS WAY! 1. GENERATE SAFER TOKENS

Slide 115

Slide 115 text

1. GENERATE SAFER TOKENS NOT THIS WAY!

Slide 116

Slide 116 text

🤡 1. GENERATE SAFER TOKENS NOT THIS WAY!

Slide 117

Slide 117 text

2. MAKE BRUTE FORCE HARDER

Slide 118

Slide 118 text

QUERY COST ANALYSIS

Slide 119

Slide 119 text

QUERY COST ANALYSIS

Slide 120

Slide 120 text

QUERY COST ANALYSIS

Slide 121

Slide 121 text

COST DIRECTIVE

Slide 122

Slide 122 text

MULTIPLY COST BY PAGE SIZE

Slide 123

Slide 123 text

MULTIPLY COST BY PAGE SIZE

Slide 124

Slide 124 text

INCREASE COST OF DANGEROUS OPERATIONS

Slide 125

Slide 125 text

😀

Slide 126

Slide 126 text

😀

Slide 127

Slide 127 text

😀

Slide 128

Slide 128 text

😀

Slide 129

Slide 129 text

😀

Slide 130

Slide 130 text

😀

Slide 131

Slide 131 text

OK BUT WHAT IF…?

Slide 132

Slide 132 text

ONE TRIES TO EXECUTE MULTIPLE QUERIES?

Slide 133

Slide 133 text

WE RATE LIMIT THEM

Slide 134

Slide 134 text

EITHER AT THE HTTP SERVER (SAME AS WITH REST API)

Slide 135

Slide 135 text

OR AT THE GRAPHQL SERVER

Slide 136

Slide 136 text

ADD THE RATE LIMIT DIRECTIVE

Slide 137

Slide 137 text

ADD SOME KIND OF A CLIENT ID TO THE CONTEXT

Slide 138

Slide 138 text

CONFIGURE THE RATE LIMIT DIRECTIVE

Slide 139

Slide 139 text

DEFINE RATE LIMIT DIRECTIVE IN SCHEMA

Slide 140

Slide 140 text

LIMIT RATE OF EXECUTION (FOR ANY QUERY OR MUTATION)

Slide 141

Slide 141 text

No content

Slide 142

Slide 142 text

😀

Slide 143

Slide 143 text

2 SECONDS LATER

Slide 144

Slide 144 text

😀 2 SECONDS LATER

Slide 145

Slide 145 text

THAT’S ENOUGH 
 …

Slide 146

Slide 146 text

THAT’S ENOUGH 
 TO MAKE GRAPHQL AS SECURE AS REST

Slide 147

Slide 147 text

1.LIMIT DEPTH

Slide 148

Slide 148 text

1.LIMIT DEPTH 2.PAGINATE DATA

Slide 149

Slide 149 text

1.LIMIT DEPTH 2.PAGINATE DATA 3.LIMIT RATE

Slide 150

Slide 150 text

1.LIMIT DEPTH 2.PAGINATE DATA 3.LIMIT RATE 4.ANALYZE COST (OPTIONAL)

Slide 151

Slide 151 text

ONE MORE THING…

Slide 152

Slide 152 text

MONITOR YOUR TRAFFIC! (YOU NEED TO KNOW WHO, WHEN AND HOW ATTACKS YOU)

Slide 153

Slide 153 text

NEED MORE RESOURCES?

Slide 154

Slide 154 text

OWASP - GRAPHQL CHEAT SHEET

Slide 155

Slide 155 text

MACIEJ KOFEL - HACKOWANIE GRAPHQL PRESENTATION (IN POLISH)

Slide 156

Slide 156 text

USE MEETJS CODE TO GET 20% DISCOUNT ALL RECORDED TALKS (IN POLISH)

Slide 157

Slide 157 text

7-WEEK ONLINE COURSE ON FULL-STACK GRAPHQL (ALSO IN POLISH) NEW EDITION 
 STARTS SOON

Slide 158

Slide 158 text

ANY QUESTIONS? Q&A GraphQL.pl/meetjs

Slide 159

Slide 159 text

ANY QUESTIONS? Q&A GraphQL.pl/meetjs

Slide 160

Slide 160 text

ANY QUESTIONS? Q&A GraphQL.pl/meetjs