APIsecure 2023 - Learn how to attack and mitigate vulnerabilities in GraphQL, Parth Shukla (Cequence Security)

The Darkside of GraphQL
GraphQL is so query-ous, it's bound to
leave you REST-less.
02.28.2023

Why GraphQL ?
➔Increased efficiency
- Request exact data you need. Nothing More, Nothing Less
➔Better flexibility
- Evolve and iterate on the API without impacting clients
➔Facilitates collaboration
- GraphQL provides a common language for both frontend and backend
Copyright ©2023 Cequence Security | ALL RIGHTS RESERVED
PUN
Why settle for the
simplicity of REST
when you can spend
your days writing
complex GraphQL
schemas that
nobody understands?

How is GraphQL Different from REST ?

Common GraphQL Endpoints
TIP
I would rather create a
wordlist of common
GraphQL Endpoints
and pass it to FFUF,
DirBuster, etc
1./graphql
2./graphql.php
3./graphiql
4./v1/explorer
5./v1/graphiql
6./v2/graphql/console
List of Common API Endpoints

DIFFERENT TYPES OF
QUERIES IN GRAPHQL
PUN
"A GraphQL query is like
a conversation with a
waiter at a restaurant.
You tell the waiter what
you want to eat (i.e., the
data you want to
retrieve), and the waiter
brings it to your table. But
unlike a restaurant, you
don't have to leave a tip!"

QUERY
A query is used to retrieve
data from a GraphQL server. It
is analogous to a GET request in
a REST API. A query consists of
a set of fields that define the
data that the client wants to
fetch from the server.
A mutation is used to modify
data on a GraphQL server. It is
analogous to a POST, PUT, or
DELETE request in a REST API. A
mutation consists of a set of
input arguments and fields that
define the data that the client
wants to change on the server.
A subscription is used to receive
real-time updates from a
GraphQL server. It is similar to a
query, but instead of returning a
single result, a subscription
returns a stream of data that is
sent to the client whenever the
server's data changes.
MUTATION SUBSCRIPTION

ATTACKER'S PERSPECTIVE TO
GRAPHQL
PUN
Why did the GraphQL
developer refuse to use
REST?
Because they didn't want
to get caught up in a
"REST-riction" when it
came to querying data!

THE INTROSPECTION
PUN
Why did the GraphQL
schema go to
therapy? Because it
needed some
introspecc-tion!
GraphQL introspection is a feature that allows a
GraphQL client to query the GraphQL schema at
runtime to get information about the available
types, fields, and directives that the schema
supports. This information can be used to
understand the schema's structure, generate
documentation, or even to dynamically generate
GraphQL queries and mutations.
INTROSPECTION QUERY

Introspection can reveal
sensitive information about
the application's underlying
data model.
Why is Introspection a vulnerability?
TIP
The output of
Introspection might not
be readable. To view in
much better way use
“apis.guru/graphql-
voyager/”

why we use
graphql-
voyager?

I call it "The Voyager Magic"

Batching is a technique used
in GraphQL to optimize
queries by allowing multiple
queries to be sent in a single
HTTP request
Can we exploit Batching in GraphQL?
TIP
GraphQL batching is not
inherently a vulnerability
but … let's find out

EXPLOIT FOR BATCHING
TIP
Use “BatchQL” tool
by AssetNote.
The most common attack for batching is Denial
of Service (DoS) attack. If an attacker sends a
large number of batched queries that require
significant processing, it could cause the server
to become overwhelmed and result in a denial-
of-service attack.
PoC in Next Slide

Note the
Execution
Time

Ahm...
Ahm...

Authentication Bypass with
the help of Batching.
TIP
Majorly works where 2Fa
is present.

BYPASSING 2FA
TIP
Use “BatchQL” tool
by AssetNote.
We can see that we pass 3 different verification
code and even if one code is correct, we will get
the successful response.
Credit: Assetnote

Testing for Directive
Overloading
TIP
Directive overloading is
neglected because
developers and hackers
are concentrating on
Batching.
Let's see a Live PoC

WHAT ARE RUNTIME DIRECTIVES?
The purpose of runtime directives is to modify
the execution.
There are two main runtime directives in
GraphQL: @skip and @include
• @skip(if: ...)
skips the selection if
the if: ... value is
truthy
• @include(if: ...)
includes the selection if
the if: ... value is
truthy
Note the
Execution
Time
TIP
Multiple errors
confirms that
server is
vulnerable to
directive
overloading.

POSSIBLE MITIGATIONS
• Implement depth limiting for incoming GraphQL queries
• Perform query cost analysis to limit expensive queries
• Enforce rate-limiting for incoming requests per API client
• Add timeouts for both the infrastructure and API layer
• Disable introspection queries in public APIs
• Use a whitelist for allowed characters
• Add pagination to limit the amount of information that can be accessed by a single
request

To Succeed, Security Teams Need Unified API Protection
An Integrated Solution Across the Entire API Protection Lifecycle
Continuous API
Protection Lifecycle
Discovery
Identify Public Facing APIs
Inventory
Provide Unified Inventory
of ALL APIs
Compliance
Ensure Adherence to Security
and Governance Best Practices
Testing
Secure New APIs
Before Go-Live
Prevention
Block Attacks Natively
in Real Time
Detection
Detect Attacks as They Happen

Thank You
Merci
Gracias
Danke
Did someone mention that
Cequence can provide you with free
security assessment?
Grazie
Dhanyavaad
Shukraan
Arigato

APIsecure 2023 - Learn how to attack and mitigate vulnerabilities in GraphQL, Parth Shukla (Cequence Security)

Recommended

Recommended

More Related Content

Similar to APIsecure 2023 - Learn how to attack and mitigate vulnerabilities in GraphQL, Parth Shukla (Cequence Security)

Similar to APIsecure 2023 - Learn how to attack and mitigate vulnerabilities in GraphQL, Parth Shukla (Cequence Security) (20)

More from apidays

More from apidays (20)

Recently uploaded

Recently uploaded (20)

APIsecure 2023 - Learn how to attack and mitigate vulnerabilities in GraphQL, Parth Shukla (Cequence Security)