INTERFACE by apidays 2023
APIs for a “Smart” economy. Embedding AI to deliver Smart APIs and turn into an exponential organization
June 28 & 29, 2023
Production Ready GraphQL
Antoine Carossio, Cofounder CTO at Escape
Tristan Kalos, Cofounder CEO at Escape
------
Check out our conferences at https://www.apidays.global/
Do you want to sponsor or talk at one of our conferences?
https://apidays.typeform.com/to/ILJeAaV8
Learn more on APIscene, the global media made by the community for the community:
https://www.apiscene.io
Explore the API ecosystem with the API Landscape:
https://apilandscape.apiscene.io/
11. /46
Why is GraphQL vulnerable?
1 – GraphQL is a full-featured language…
10
12. /46
Why is GraphQL vulnerable?
1 – GraphQL is a full-featured language…
11
Operations
Fields
Directives
Parameters
Aliases
Batches
Fragments
Query Depth
Query Width
13. /46
Why is GraphQL vulnerable?
2 - GraphQL is a graph… with a lot of different paths leading to the same resource
12
14. /46
Why is GraphQL vulnerable?
1. stripe_token
2 - GraphQL is a graph… with a lot of different paths leading to the same resource
13
15. /46
Why is GraphQL vulnerable?
1. stripe_token
2 - GraphQL is a graph… with a lot of different paths leading to the same resource
14
16. /46
Why is GraphQL vulnerable?
1. stripe_token
2 - GraphQL is a graph… with a lot of different paths leading to the same resource
Access control is a nightmare!
15
17. /46
Why is is hard to test production GraphQL apps?
16
18. /46
The two problems when testing GraphQL APIs
Problem 1 : Classic testing cannot assess the business logic of APIs
17
19. /46
The two problems when testing GraphQL APIs
> Solution 1 : Feedback-Driven API Exploration
18
20. /46
The two problems when testing GraphQL APIs
> Solution 1 : Feedback-Driven API Exploration
19
21. /46
The two problems when testing GraphQL APIs
Problem 2 : GraphQL is a Graph…
1. stripe_token
20
22. /46
The two problems when testing GraphQL APIs
> Solution 2 : Recursively explore all paths in the graph
1. stripe_token
21
30. /46
Top vulnerability 1: Bruteforcing API requests (API:04)
Batching: Multiple GraphQL
Queries in one HTTP Request
Aliasing: The same fields multiple
times with aliases
29
31. /46
Top vulnerability 1: Bruteforcing API requests (API:04)
The problem: can be used to bypass rate limiting on login mutations = Bruteforce attack
30
32. /46
Top vulnerability 2: Denial of Service (API:04)
Fragments: a piece of logic that can be shared between multiple queries
31
33. /46
Top vulnerability 2: Denial of Service (API:04)
The problem: What if a fragment calls itself? Oops, you got an infinite recursion.
32
34. /46
Top vulnerability 3: Internal API Schema Leak (API:07)
The problem: Endpoints with disabled introspection still leaks underlying schema through field suggestio
33
35. /46
Top vulnerability 3: Internal API Schema Leak (API:07)
The problem: Endpoints with disabled introspection still leaks underlying API Schema through field
suggestion using open source tool Clairvoyance, anybody can build back the full Schema.
34
38. /46
API Errors and Stacktraces disclosing internal data (API:07)
The problem: Stack Traces give too much information on what’s vulnerable in your app 👀
(12% endpoints misconfigured)
37
39. /46
Access Control issues (API:01,02,03,05)
The problem:
Most routes writing data (mutations) are not supposed to be accessible without authentication
38
40. /46
Injections are still there (API2019:08)
● 16 SQL or NoSQL injections
● 1 bash command injection
● 3 Server Side Request Forgery
39
45. /46
44
● DOS & Complexity issues:
○ API04: Unrestricted Resource Consumption
< Due to GraphQL-specific features
● Access Control, Authentication and Authorization:
○ API01: Broken Object Level Authorization (BOLA)
○ API02: Broken Authentication
○ API03: Broken Object Property Level Authorization
(BOPLA)
○ API05: Broken Function Level Authorization (BFLA)
< Very common because of the graph
nature of GraphQL
● Security Misconfiguration and Information Disclosure
○ API07: Security Misconfiguration
< Federated GraphQL apps often forget to
catch error messages from underlying APIs
< Development features enabled in prod
How does OWASP TOP 10 reflect in prod-ready GraphQL apps?
46. /46
Conclusion, using unauthenticated API calls:
● We found 130k+ public GraphQL APIs into the wild and scanned 1599
of them
● Highlighted numerous vulnerabilities, most frequently GraphQL
Specific, but not only
● Access control flaws and secret leaks are *very* frequent in GraphQL
45