SlideShare a Scribd company logo

INTERFACE by apidays 2023 - Production Ready GraphQL, Antoine Carossio & Tristan Kalos, Escape

apidays
apidays

INTERFACE by apidays 2023 APIs for a “Smart” economy. Embedding AI to deliver Smart APIs and turn into an exponential organization June 28 & 29, 2023 Production Ready GraphQL Antoine Carossio, Cofounder CTO at Escape Tristan Kalos, Cofounder CEO at Escape ------ Check out our conferences at https://www.apidays.global/ Do you want to sponsor or talk at one of our conferences? https://apidays.typeform.com/to/ILJeAaV8 Learn more on APIscene, the global media made by the community for the community: https://www.apiscene.io Explore the API ecosystem with the API Landscape: https://apilandscape.apiscene.io/

Data & Analytics
1 of 47
Download to read offline
/46 Modern Application Security GraphQL Vulnerabilities in the Wild What scanning real-life GraphQL apps told us about Securing GraphQL in Production 1
/46 About Escape First automated Security Testing platform able to test the business logic of APIs and GraphQL. https://app.escape.tech/ 2
/46 1599 production APIs scanned 3
/46 1599 production APIs scanned 416 cumulative scan hours 4
/46 1599 production APIs scanned 416 cumulative scan hours 5 46,809 security alerts found
/46 30 security alerts per GraphQL app on average 6
/46 Tristan Kalos Co-founder & CEO ✉ tristan@escape.tech 🐣 @tristankalos Antoine Carossio Co-founder & CTO ✉ antoine@escape.tech 🐣 @iCarossio 7 https://escape.tech/resources/state-of-graphql-security-2023/
/46 Why is GraphQL vulnerable? 8
/46 GraphQL is a query language for APIs 9
/46 Why is GraphQL vulnerable? 1 – GraphQL is a full-featured language… 10
/46 Why is GraphQL vulnerable? 1 – GraphQL is a full-featured language… 11 Operations Fields Directives Parameters Aliases Batches Fragments Query Depth Query Width
/46 Why is GraphQL vulnerable? 2 - GraphQL is a graph… with a lot of different paths leading to the same resource 12
/46 Why is GraphQL vulnerable? 1. stripe_token 2 - GraphQL is a graph… with a lot of different paths leading to the same resource 13
/46 Why is GraphQL vulnerable? 1. stripe_token 2 - GraphQL is a graph… with a lot of different paths leading to the same resource 14
/46 Why is GraphQL vulnerable? 1. stripe_token 2 - GraphQL is a graph… with a lot of different paths leading to the same resource Access control is a nightmare! 15
/46 Why is is hard to test production GraphQL apps? 16
/46 The two problems when testing GraphQL APIs Problem 1 : Classic testing cannot assess the business logic of APIs 17
/46 The two problems when testing GraphQL APIs > Solution 1 : Feedback-Driven API Exploration 18
/46 The two problems when testing GraphQL APIs > Solution 1 : Feedback-Driven API Exploration 19
/46 The two problems when testing GraphQL APIs Problem 2 : GraphQL is a Graph… 1. stripe_token 20
/46 The two problems when testing GraphQL APIs > Solution 2 : Recursively explore all paths in the graph 1. stripe_token 21
/46 The findings 22
/46 46,809 security alerts found 23
/46 Which severity and category? 24
/46 Which severity and category? 25 API:01 API:02 API:03 API:05 API:04 API:06 API:07 API:04 API:07 API:10 API:09 2019:08
/46 Which severity and category? 26 API:01 API:02 API:03 API:05 API:04 API:06 API:07 API:04 API:07 API:10 API:09 2019:08
/46 A lot are GraphQL-specific 27
/46 GraphQL-specific Vulnerabilities come first 28
/46 Top vulnerability 1: Bruteforcing API requests (API:04) Batching: Multiple GraphQL Queries in one HTTP Request Aliasing: The same fields multiple times with aliases 29
/46 Top vulnerability 1: Bruteforcing API requests (API:04) The problem: can be used to bypass rate limiting on login mutations = Bruteforce attack 30
/46 Top vulnerability 2: Denial of Service (API:04) Fragments: a piece of logic that can be shared between multiple queries 31
/46 Top vulnerability 2: Denial of Service (API:04) The problem: What if a fragment calls itself? Oops, you got an infinite recursion. 32
/46 Top vulnerability 3: Internal API Schema Leak (API:07) The problem: Endpoints with disabled introspection still leaks underlying schema through field suggestio 33
/46 Top vulnerability 3: Internal API Schema Leak (API:07) The problem: Endpoints with disabled introspection still leaks underlying API Schema through field suggestion using open source tool Clairvoyance, anybody can build back the full Schema. 34
/46 Classic API vulnerabilities are still there 35
/46 HTTP Errors, Access Control Issues, Injections 36
/46 API Errors and Stacktraces disclosing internal data (API:07) The problem: Stack Traces give too much information on what’s vulnerable in your app 👀 (12% endpoints misconfigured) 37
/46 Access Control issues (API:01,02,03,05) The problem: Most routes writing data (mutations) are not supposed to be accessible without authentication 38
/46 Injections are still there (API2019:08) ● 16 SQL or NoSQL injections ● 1 bash command injection ● 3 Server Side Request Forgery 39
/46 VI. Sensitive data made public! 40
/46 4,493 potential PII and token leaks found. 41
/46 4,493 potential PII and token leaks found. • Emails • Phone numbers • Passport numbers • Bank Account numbers 42
/46 4,493 potential PII and token leaks found. • API Keys: AWS, GCP • Private RSA Keys • Auth Tokens: Adobe, Asana, Github… 43
/46 44 ● DOS & Complexity issues: ○ API04: Unrestricted Resource Consumption < Due to GraphQL-specific features ● Access Control, Authentication and Authorization: ○ API01: Broken Object Level Authorization (BOLA) ○ API02: Broken Authentication ○ API03: Broken Object Property Level Authorization (BOPLA) ○ API05: Broken Function Level Authorization (BFLA) < Very common because of the graph nature of GraphQL ● Security Misconfiguration and Information Disclosure ○ API07: Security Misconfiguration < Federated GraphQL apps often forget to catch error messages from underlying APIs < Development features enabled in prod How does OWASP TOP 10 reflect in prod-ready GraphQL apps?
/46 Conclusion, using unauthenticated API calls: ● We found 130k+ public GraphQL APIs into the wild and scanned 1599 of them ● Highlighted numerous vulnerabilities, most frequently GraphQL Specific, but not only ● Access control flaws and secret leaks are *very* frequent in GraphQL 45
/46 Tristan Kalos Co-founder & CEO ✉ tristan@escape.tech 🐣 @tristankalos Antoine Carossio Co-founder & CTO ✉ antoine@escape.tech 🐣 @iCarossio 46/4 7 https://escape.tech/resources/state-of-graphql-security-2023/

Recommended

APIsecure 2023 - Discovering GraphQL Vulnerabilities in the Wild, Tristan Kal...
APIsecure 2023 - Discovering GraphQL Vulnerabilities in the Wild, Tristan Kal...APIsecure 2023 - Discovering GraphQL Vulnerabilities in the Wild, Tristan Kal...
APIsecure 2023 - Discovering GraphQL Vulnerabilities in the Wild, Tristan Kal...
apidays
 
Effective and Efficient API Misuse Detection via Exception Propagation and Se...
Effective and Efficient API Misuse Detection via Exception Propagation and Se...Effective and Efficient API Misuse Detection via Exception Propagation and Se...
Effective and Efficient API Misuse Detection via Exception Propagation and Se...
XavierDevroey
 
apidays Australia 2023 - API Security Breach Analysis & Empowering Devs to M...
apidays Australia 2023 - API Security Breach Analysis & Empowering Devs to M...apidays Australia 2023 - API Security Breach Analysis & Empowering Devs to M...
apidays Australia 2023 - API Security Breach Analysis & Empowering Devs to M...
apidays
 
Api design best practice
Api design best practiceApi design best practice
Api design best practice
Red Hat
 
Introduction to Web Application Penetration Testing
Introduction to Web Application Penetration TestingIntroduction to Web Application Penetration Testing
Introduction to Web Application Penetration Testing
Rana Khalil
 
Implementing OpenAPI and GraphQL services with gRPC
Implementing OpenAPI and GraphQL services with gRPCImplementing OpenAPI and GraphQL services with gRPC
Implementing OpenAPI and GraphQL services with gRPC
Tim Burks
 
Fast and Generic Malware Triage Using openioc_scan Volatility Plugin
Fast and Generic Malware Triage Using openioc_scan Volatility PluginFast and Generic Malware Triage Using openioc_scan Volatility Plugin
Fast and Generic Malware Triage Using openioc_scan Volatility Plugin
Takahiro Haruyama
 
Beyond 200 OK.pptx
Beyond 200 OK.pptxBeyond 200 OK.pptx
Beyond 200 OK.pptx
Pricilla Bilavendran
 

Recommended

APIsecure 2023 - Discovering GraphQL Vulnerabilities in the Wild, Tristan Kal...
APIsecure 2023 - Discovering GraphQL Vulnerabilities in the Wild, Tristan Kal...APIsecure 2023 - Discovering GraphQL Vulnerabilities in the Wild, Tristan Kal...
APIsecure 2023 - Discovering GraphQL Vulnerabilities in the Wild, Tristan Kal...
apidays
 
Effective and Efficient API Misuse Detection via Exception Propagation and Se...
Effective and Efficient API Misuse Detection via Exception Propagation and Se...Effective and Efficient API Misuse Detection via Exception Propagation and Se...
Effective and Efficient API Misuse Detection via Exception Propagation and Se...
XavierDevroey
 
apidays Australia 2023 - API Security Breach Analysis & Empowering Devs to M...
apidays Australia 2023 - API Security Breach Analysis & Empowering Devs to M...apidays Australia 2023 - API Security Breach Analysis & Empowering Devs to M...
apidays Australia 2023 - API Security Breach Analysis & Empowering Devs to M...
apidays
 
Api design best practice
Api design best practiceApi design best practice
Api design best practice
Red Hat
 
Introduction to Web Application Penetration Testing
Introduction to Web Application Penetration TestingIntroduction to Web Application Penetration Testing
Introduction to Web Application Penetration Testing
Rana Khalil
 
Implementing OpenAPI and GraphQL services with gRPC
Implementing OpenAPI and GraphQL services with gRPCImplementing OpenAPI and GraphQL services with gRPC
Implementing OpenAPI and GraphQL services with gRPC
Tim Burks
 
Fast and Generic Malware Triage Using openioc_scan Volatility Plugin
Fast and Generic Malware Triage Using openioc_scan Volatility PluginFast and Generic Malware Triage Using openioc_scan Volatility Plugin
Fast and Generic Malware Triage Using openioc_scan Volatility Plugin
Takahiro Haruyama
 
Beyond 200 OK.pptx
Beyond 200 OK.pptxBeyond 200 OK.pptx
Beyond 200 OK.pptx
Pricilla Bilavendran
 
2022 APIsecure_Securing APIs with Open Standards
2022 APIsecure_Securing APIs with Open Standards2022 APIsecure_Securing APIs with Open Standards
2022 APIsecure_Securing APIs with Open Standards
APIsecure_ Official
 
Why Johnny Still Can’t Pentest: A Comparative Analysis of Open-source Black-...
Why Johnny Still Can’t Pentest: A Comparative Analysis of Open-source Black-...Why Johnny Still Can’t Pentest: A Comparative Analysis of Open-source Black-...
Why Johnny Still Can’t Pentest: A Comparative Analysis of Open-source Black-...
Rana Khalil
 
API Management for GraphQL
API Management for GraphQLAPI Management for GraphQL
API Management for GraphQL
WSO2
 
Top API Security Issues Found During POCs
Top API Security Issues Found During POCsTop API Security Issues Found During POCs
Top API Security Issues Found During POCs
42Crunch
 
Diagnose Your Microservices
Diagnose Your MicroservicesDiagnose Your Microservices
Diagnose Your Microservices
Marcus Hirt
 
AnitaB-Atlanta-CyberSecurity-Weekend-Rana-Khalil.pdf
AnitaB-Atlanta-CyberSecurity-Weekend-Rana-Khalil.pdfAnitaB-Atlanta-CyberSecurity-Weekend-Rana-Khalil.pdf
AnitaB-Atlanta-CyberSecurity-Weekend-Rana-Khalil.pdf
sk0894308
 
apidays Hong Kong - Attack API Architecture, Alvin Tam, Hong Kong Computer So...
apidays Hong Kong - Attack API Architecture, Alvin Tam, Hong Kong Computer So...apidays Hong Kong - Attack API Architecture, Alvin Tam, Hong Kong Computer So...
apidays Hong Kong - Attack API Architecture, Alvin Tam, Hong Kong Computer So...
apidays
 
Device Independent API design
Device Independent API designDevice Independent API design
Device Independent API design
Amrita jain
 
The math api
The math apiThe math api
The math api
Adrian Sandru
 
Oracle Eloqua 10 Release Notes
Oracle Eloqua 10 Release NotesOracle Eloqua 10 Release Notes
Oracle Eloqua 10 Release Notes
Ron Corbisier
 
@avanttic_meetup Oracle Technology MAD_BCN: Oracle Cloud API Platform evoluc...
@avanttic_meetup Oracle Technology MAD_BCN: Oracle Cloud API Platform evoluc...@avanttic_meetup Oracle Technology MAD_BCN: Oracle Cloud API Platform evoluc...
@avanttic_meetup Oracle Technology MAD_BCN: Oracle Cloud API Platform evoluc...
avanttic Consultoría Tecnológica
 
Bulletproofing Your APIs: Why Users’ Feedback Matters
Bulletproofing Your APIs: Why Users’ Feedback MattersBulletproofing Your APIs: Why Users’ Feedback Matters
Bulletproofing Your APIs: Why Users’ Feedback Matters
Pronovix
 
Semi-Automated Security Testing of Web applications
Semi-Automated Security Testing of Web applicationsSemi-Automated Security Testing of Web applications
Semi-Automated Security Testing of Web applications
Ram G Athreya
 
QA Fest 2019. Катерина Овеченко. Тестирование безопасности API
QA Fest 2019. Катерина Овеченко. Тестирование безопасности APIQA Fest 2019. Катерина Овеченко. Тестирование безопасности API
QA Fest 2019. Катерина Овеченко. Тестирование безопасности API
QAFest
 
Report portal
Report portalReport portal
Report portal
COMAQA.BY
 
JCON_15FactorWorkshop.pptx
JCON_15FactorWorkshop.pptxJCON_15FactorWorkshop.pptx
JCON_15FactorWorkshop.pptx
Grace Jansen
 
What’s behind a high quality web API? Ensure your APIs are more than just a ...
What’s behind a high quality web API? Ensure your APIs are more than just a ...What’s behind a high quality web API? Ensure your APIs are more than just a ...
What’s behind a high quality web API? Ensure your APIs are more than just a ...
Kim Clark
 
Web applications security conference slides
Web applications security conference slidesWeb applications security conference slides
Web applications security conference slides
Bassam Al-Khatib
 
Bringing a public GraphQL API from the whiteboard to production
Bringing a public GraphQL API from the whiteboard to productionBringing a public GraphQL API from the whiteboard to production
Bringing a public GraphQL API from the whiteboard to production
yann_s
 
apidays Helsinki & North 2023 - The future of API Management, Jona Apelbaum &...
apidays Helsinki & North 2023 - The future of API Management, Jona Apelbaum &...apidays Helsinki & North 2023 - The future of API Management, Jona Apelbaum &...
apidays Helsinki & North 2023 - The future of API Management, Jona Apelbaum &...
apidays
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
apidays
 
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
apidays
 

More Related Content

Similar to INTERFACE by apidays 2023 - Production Ready GraphQL, Antoine Carossio & Tristan Kalos, Escape

API Management for GraphQL
API Management for GraphQLAPI Management for GraphQL
API Management for GraphQL
WSO2
 
apidays Hong Kong - Attack API Architecture, Alvin Tam, Hong Kong Computer So...
apidays Hong Kong - Attack API Architecture, Alvin Tam, Hong Kong Computer So...apidays Hong Kong - Attack API Architecture, Alvin Tam, Hong Kong Computer So...
apidays Hong Kong - Attack API Architecture, Alvin Tam, Hong Kong Computer So...
apidays
 
Semi-Automated Security Testing of Web applications
Semi-Automated Security Testing of Web applicationsSemi-Automated Security Testing of Web applications
Semi-Automated Security Testing of Web applications
Ram G Athreya
 
QA Fest 2019. Катерина Овеченко. Тестирование безопасности API
QA Fest 2019. Катерина Овеченко. Тестирование безопасности APIQA Fest 2019. Катерина Овеченко. Тестирование безопасности API
QA Fest 2019. Катерина Овеченко. Тестирование безопасности API
QAFest
 
What’s behind a high quality web API? Ensure your APIs are more than just a ...
What’s behind a high quality web API? Ensure your APIs are more than just a ...What’s behind a high quality web API? Ensure your APIs are more than just a ...
What’s behind a high quality web API? Ensure your APIs are more than just a ...
Kim Clark
 
apidays Helsinki & North 2023 - The future of API Management, Jona Apelbaum &...
apidays Helsinki & North 2023 - The future of API Management, Jona Apelbaum &...apidays Helsinki & North 2023 - The future of API Management, Jona Apelbaum &...
apidays Helsinki & North 2023 - The future of API Management, Jona Apelbaum &...
apidays
 

Similar to INTERFACE by apidays 2023 - Production Ready GraphQL, Antoine Carossio & Tristan Kalos, Escape (20)

2022 APIsecure_Securing APIs with Open Standards
2022 APIsecure_Securing APIs with Open Standards2022 APIsecure_Securing APIs with Open Standards
2022 APIsecure_Securing APIs with Open Standards
 
Why Johnny Still Can’t Pentest: A Comparative Analysis of Open-source Black-...
Why Johnny Still Can’t Pentest: A Comparative Analysis of Open-source Black-...Why Johnny Still Can’t Pentest: A Comparative Analysis of Open-source Black-...
Why Johnny Still Can’t Pentest: A Comparative Analysis of Open-source Black-...
 
API Management for GraphQL
API Management for GraphQLAPI Management for GraphQL
API Management for GraphQL
 
Top API Security Issues Found During POCs
Top API Security Issues Found During POCsTop API Security Issues Found During POCs
Top API Security Issues Found During POCs
 
Diagnose Your Microservices
Diagnose Your MicroservicesDiagnose Your Microservices
Diagnose Your Microservices
 
AnitaB-Atlanta-CyberSecurity-Weekend-Rana-Khalil.pdf
AnitaB-Atlanta-CyberSecurity-Weekend-Rana-Khalil.pdfAnitaB-Atlanta-CyberSecurity-Weekend-Rana-Khalil.pdf
AnitaB-Atlanta-CyberSecurity-Weekend-Rana-Khalil.pdf
 
apidays Hong Kong - Attack API Architecture, Alvin Tam, Hong Kong Computer So...
apidays Hong Kong - Attack API Architecture, Alvin Tam, Hong Kong Computer So...apidays Hong Kong - Attack API Architecture, Alvin Tam, Hong Kong Computer So...
apidays Hong Kong - Attack API Architecture, Alvin Tam, Hong Kong Computer So...
 
Device Independent API design
Device Independent API designDevice Independent API design
Device Independent API design
 
The math api
The math apiThe math api
The math api
 
Oracle Eloqua 10 Release Notes
Oracle Eloqua 10 Release NotesOracle Eloqua 10 Release Notes
Oracle Eloqua 10 Release Notes
 
@avanttic_meetup Oracle Technology MAD_BCN: Oracle Cloud API Platform evoluc...
@avanttic_meetup Oracle Technology MAD_BCN: Oracle Cloud API Platform evoluc...@avanttic_meetup Oracle Technology MAD_BCN: Oracle Cloud API Platform evoluc...
@avanttic_meetup Oracle Technology MAD_BCN: Oracle Cloud API Platform evoluc...
 
Bulletproofing Your APIs: Why Users’ Feedback Matters
Bulletproofing Your APIs: Why Users’ Feedback MattersBulletproofing Your APIs: Why Users’ Feedback Matters
Bulletproofing Your APIs: Why Users’ Feedback Matters
 
Semi-Automated Security Testing of Web applications
Semi-Automated Security Testing of Web applicationsSemi-Automated Security Testing of Web applications
Semi-Automated Security Testing of Web applications
 
QA Fest 2019. Катерина Овеченко. Тестирование безопасности API
QA Fest 2019. Катерина Овеченко. Тестирование безопасности APIQA Fest 2019. Катерина Овеченко. Тестирование безопасности API
QA Fest 2019. Катерина Овеченко. Тестирование безопасности API
 
Report portal
Report portalReport portal
Report portal
 
JCON_15FactorWorkshop.pptx
JCON_15FactorWorkshop.pptxJCON_15FactorWorkshop.pptx
JCON_15FactorWorkshop.pptx
 
What’s behind a high quality web API? Ensure your APIs are more than just a ...
What’s behind a high quality web API? Ensure your APIs are more than just a ...What’s behind a high quality web API? Ensure your APIs are more than just a ...
What’s behind a high quality web API? Ensure your APIs are more than just a ...
 
Web applications security conference slides
Web applications security conference slidesWeb applications security conference slides
Web applications security conference slides
 
Bringing a public GraphQL API from the whiteboard to production
Bringing a public GraphQL API from the whiteboard to productionBringing a public GraphQL API from the whiteboard to production
Bringing a public GraphQL API from the whiteboard to production
 
apidays Helsinki & North 2023 - The future of API Management, Jona Apelbaum &...
apidays Helsinki & North 2023 - The future of API Management, Jona Apelbaum &...apidays Helsinki & North 2023 - The future of API Management, Jona Apelbaum &...
apidays Helsinki & North 2023 - The future of API Management, Jona Apelbaum &...
 

More from apidays

Apidays Singapore 2024 - API Monitoring x SRE by Ryan Ashneil and Eugene Wong...
Apidays Singapore 2024 - API Monitoring x SRE by Ryan Ashneil and Eugene Wong...Apidays Singapore 2024 - API Monitoring x SRE by Ryan Ashneil and Eugene Wong...
Apidays Singapore 2024 - API Monitoring x SRE by Ryan Ashneil and Eugene Wong...
apidays
 

More from apidays (20)

Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
 
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...
 
Apidays New York 2024 - The secrets to Graph success, by Leah Hurwich Adler, ...
Apidays New York 2024 - The secrets to Graph success, by Leah Hurwich Adler, ...Apidays New York 2024 - The secrets to Graph success, by Leah Hurwich Adler, ...
Apidays New York 2024 - The secrets to Graph success, by Leah Hurwich Adler, ...
 
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
 
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
 
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
 
Apidays New York 2024 - API Discovery - From Crawl to Run by Rob Dickinson, G...
Apidays New York 2024 - API Discovery - From Crawl to Run by Rob Dickinson, G...Apidays New York 2024 - API Discovery - From Crawl to Run by Rob Dickinson, G...
Apidays New York 2024 - API Discovery - From Crawl to Run by Rob Dickinson, G...
 
Apidays Singapore 2024 - Building with the Planet in Mind by Sandeep Joshi, M...
Apidays Singapore 2024 - Building with the Planet in Mind by Sandeep Joshi, M...Apidays Singapore 2024 - Building with the Planet in Mind by Sandeep Joshi, M...
Apidays Singapore 2024 - Building with the Planet in Mind by Sandeep Joshi, M...
 
Apidays Singapore 2024 - Connecting Cross Border Commerce with Payments by Gu...
Apidays Singapore 2024 - Connecting Cross Border Commerce with Payments by Gu...Apidays Singapore 2024 - Connecting Cross Border Commerce with Payments by Gu...
Apidays Singapore 2024 - Connecting Cross Border Commerce with Payments by Gu...
 
Apidays Singapore 2024 - Privacy Enhancing Technologies for AI by Mark Choo, ...
Apidays Singapore 2024 - Privacy Enhancing Technologies for AI by Mark Choo, ...Apidays Singapore 2024 - Privacy Enhancing Technologies for AI by Mark Choo, ...
Apidays Singapore 2024 - Privacy Enhancing Technologies for AI by Mark Choo, ...
 
Apidays Singapore 2024 - Blending AI and IoT for Smarter Health by Matthew Ch...
Apidays Singapore 2024 - Blending AI and IoT for Smarter Health by Matthew Ch...Apidays Singapore 2024 - Blending AI and IoT for Smarter Health by Matthew Ch...
Apidays Singapore 2024 - Blending AI and IoT for Smarter Health by Matthew Ch...
 
Apidays Singapore 2024 - OpenTelemetry for API Monitoring by Danielle Kayumbi...
Apidays Singapore 2024 - OpenTelemetry for API Monitoring by Danielle Kayumbi...Apidays Singapore 2024 - OpenTelemetry for API Monitoring by Danielle Kayumbi...
Apidays Singapore 2024 - OpenTelemetry for API Monitoring by Danielle Kayumbi...
 
Apidays Singapore 2024 - Connecting Product and Engineering Teams with Testin...
Apidays Singapore 2024 - Connecting Product and Engineering Teams with Testin...Apidays Singapore 2024 - Connecting Product and Engineering Teams with Testin...
Apidays Singapore 2024 - Connecting Product and Engineering Teams with Testin...
 
Apidays Singapore 2024 - The Growing Carbon Footprint of Digitalization and H...
Apidays Singapore 2024 - The Growing Carbon Footprint of Digitalization and H...Apidays Singapore 2024 - The Growing Carbon Footprint of Digitalization and H...
Apidays Singapore 2024 - The Growing Carbon Footprint of Digitalization and H...
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
Apidays Singapore 2024 - API Monitoring x SRE by Ryan Ashneil and Eugene Wong...
Apidays Singapore 2024 - API Monitoring x SRE by Ryan Ashneil and Eugene Wong...Apidays Singapore 2024 - API Monitoring x SRE by Ryan Ashneil and Eugene Wong...
Apidays Singapore 2024 - API Monitoring x SRE by Ryan Ashneil and Eugene Wong...
 
Apidays Singapore 2024 - A nuanced approach on AI costs and benefits for the ...
Apidays Singapore 2024 - A nuanced approach on AI costs and benefits for the ...Apidays Singapore 2024 - A nuanced approach on AI costs and benefits for the ...
Apidays Singapore 2024 - A nuanced approach on AI costs and benefits for the ...
 
Apidays Singapore 2024 - Modernizing Securities Finance by Madhu Subbu
Apidays Singapore 2024 - Modernizing Securities Finance by Madhu SubbuApidays Singapore 2024 - Modernizing Securities Finance by Madhu Subbu
Apidays Singapore 2024 - Modernizing Securities Finance by Madhu Subbu
 
Apidays Singapore 2024 - How APIs drive business at BNP Paribas by Quy-Doan D...
Apidays Singapore 2024 - How APIs drive business at BNP Paribas by Quy-Doan D...Apidays Singapore 2024 - How APIs drive business at BNP Paribas by Quy-Doan D...
Apidays Singapore 2024 - How APIs drive business at BNP Paribas by Quy-Doan D...
 

Recently uploaded

如何办理(WashU毕业证书)圣路易斯华盛顿大学毕业证成绩单本科硕士学位证留信学历认证
如何办理(WashU毕业证书)圣路易斯华盛顿大学毕业证成绩单本科硕士学位证留信学历认证如何办理(WashU毕业证书)圣路易斯华盛顿大学毕业证成绩单本科硕士学位证留信学历认证
如何办理(WashU毕业证书)圣路易斯华盛顿大学毕业证成绩单本科硕士学位证留信学历认证
acoha1
 
Abortion pills in Riyadh Saudi Arabia (+966572737505 buy cytotec
Abortion pills in Riyadh Saudi Arabia (+966572737505 buy cytotecAbortion pills in Riyadh Saudi Arabia (+966572737505 buy cytotec
Abortion pills in Riyadh Saudi Arabia (+966572737505 buy cytotec
Abortion pills in Riyadh +966572737505 get cytotec
 
一比一原版(Monash毕业证书)莫纳什大学毕业证成绩单如何办理
一比一原版(Monash毕业证书)莫纳什大学毕业证成绩单如何办理一比一原版(Monash毕业证书)莫纳什大学毕业证成绩单如何办理
一比一原版(Monash毕业证书)莫纳什大学毕业证成绩单如何办理
pyhepag
 
Audience Researchndfhcvnfgvgbhujhgfv.pptx
Audience Researchndfhcvnfgvgbhujhgfv.pptxAudience Researchndfhcvnfgvgbhujhgfv.pptx
Audience Researchndfhcvnfgvgbhujhgfv.pptx
Stephen266013
 
1:1原版定制伦敦政治经济学院毕业证(LSE毕业证)成绩单学位证书留信学历认证
1:1原版定制伦敦政治经济学院毕业证(LSE毕业证)成绩单学位证书留信学历认证1:1原版定制伦敦政治经济学院毕业证(LSE毕业证)成绩单学位证书留信学历认证
1:1原版定制伦敦政治经济学院毕业证(LSE毕业证)成绩单学位证书留信学历认证
dq9vz1isj
 
NO1 Best Kala Jadu Expert Specialist In Germany Kala Jadu Expert Specialist I...
NO1 Best Kala Jadu Expert Specialist In Germany Kala Jadu Expert Specialist I...NO1 Best Kala Jadu Expert Specialist In Germany Kala Jadu Expert Specialist I...
NO1 Best Kala Jadu Expert Specialist In Germany Kala Jadu Expert Specialist I...
Amil baba
 
一比一原版阿德莱德大学毕业证成绩单如何办理
一比一原版阿德莱德大学毕业证成绩单如何办理一比一原版阿德莱德大学毕业证成绩单如何办理
一比一原版阿德莱德大学毕业证成绩单如何办理
pyhepag
 
Jual Obat Aborsi Bandung (Asli No.1) Wa 082134680322 Klinik Obat Penggugur Ka...
Jual Obat Aborsi Bandung (Asli No.1) Wa 082134680322 Klinik Obat Penggugur Ka...Jual Obat Aborsi Bandung (Asli No.1) Wa 082134680322 Klinik Obat Penggugur Ka...
Jual Obat Aborsi Bandung (Asli No.1) Wa 082134680322 Klinik Obat Penggugur Ka...
Klinik Aborsi
 
Abortion Clinic in Randfontein +27791653574 Randfontein WhatsApp Abortion Cli...
Abortion Clinic in Randfontein +27791653574 Randfontein WhatsApp Abortion Cli...Abortion Clinic in Randfontein +27791653574 Randfontein WhatsApp Abortion Cli...
Abortion Clinic in Randfontein +27791653574 Randfontein WhatsApp Abortion Cli...
mikehavy0
 
如何办理(UPenn毕业证书)宾夕法尼亚大学毕业证成绩单本科硕士学位证留信学历认证
如何办理(UPenn毕业证书)宾夕法尼亚大学毕业证成绩单本科硕士学位证留信学历认证如何办理(UPenn毕业证书)宾夕法尼亚大学毕业证成绩单本科硕士学位证留信学历认证
如何办理(UPenn毕业证书)宾夕法尼亚大学毕业证成绩单本科硕士学位证留信学历认证
acoha1
 
如何办理英国卡迪夫大学毕业证(Cardiff毕业证书)成绩单留信学历认证
如何办理英国卡迪夫大学毕业证(Cardiff毕业证书)成绩单留信学历认证如何办理英国卡迪夫大学毕业证(Cardiff毕业证书)成绩单留信学历认证
如何办理英国卡迪夫大学毕业证(Cardiff毕业证书)成绩单留信学历认证
ju0dztxtn
 

Recently uploaded (20)

如何办理(WashU毕业证书)圣路易斯华盛顿大学毕业证成绩单本科硕士学位证留信学历认证
如何办理(WashU毕业证书)圣路易斯华盛顿大学毕业证成绩单本科硕士学位证留信学历认证如何办理(WashU毕业证书)圣路易斯华盛顿大学毕业证成绩单本科硕士学位证留信学历认证
如何办理(WashU毕业证书)圣路易斯华盛顿大学毕业证成绩单本科硕士学位证留信学历认证
 
Data Visualization Exploring and Explaining with Data 1st Edition by Camm sol...
Data Visualization Exploring and Explaining with Data 1st Edition by Camm sol...Data Visualization Exploring and Explaining with Data 1st Edition by Camm sol...
Data Visualization Exploring and Explaining with Data 1st Edition by Camm sol...
 
Predictive Precipitation: Advanced Rain Forecasting Techniques
Predictive Precipitation: Advanced Rain Forecasting TechniquesPredictive Precipitation: Advanced Rain Forecasting Techniques
Predictive Precipitation: Advanced Rain Forecasting Techniques
 
2024 Q2 Orange County (CA) Tableau User Group Meeting
2024 Q2 Orange County (CA) Tableau User Group Meeting2024 Q2 Orange County (CA) Tableau User Group Meeting
2024 Q2 Orange County (CA) Tableau User Group Meeting
 
123.docx. .
123.docx. .123.docx. .
123.docx. .
 
Abortion pills in Riyadh Saudi Arabia (+966572737505 buy cytotec
Abortion pills in Riyadh Saudi Arabia (+966572737505 buy cytotecAbortion pills in Riyadh Saudi Arabia (+966572737505 buy cytotec
Abortion pills in Riyadh Saudi Arabia (+966572737505 buy cytotec
 
一比一原版(Monash毕业证书)莫纳什大学毕业证成绩单如何办理
一比一原版(Monash毕业证书)莫纳什大学毕业证成绩单如何办理一比一原版(Monash毕业证书)莫纳什大学毕业证成绩单如何办理
一比一原版(Monash毕业证书)莫纳什大学毕业证成绩单如何办理
 
Digital Marketing Demystified: Expert Tips from Samantha Rae Coolbeth
Digital Marketing Demystified: Expert Tips from Samantha Rae CoolbethDigital Marketing Demystified: Expert Tips from Samantha Rae Coolbeth
Digital Marketing Demystified: Expert Tips from Samantha Rae Coolbeth
 
The Significance of Transliteration Enhancing
The Significance of Transliteration EnhancingThe Significance of Transliteration Enhancing
The Significance of Transliteration Enhancing
 
Audience Researchndfhcvnfgvgbhujhgfv.pptx
Audience Researchndfhcvnfgvgbhujhgfv.pptxAudience Researchndfhcvnfgvgbhujhgfv.pptx
Audience Researchndfhcvnfgvgbhujhgfv.pptx
 
What is Insertion Sort. Its basic information
What is Insertion Sort. Its basic informationWhat is Insertion Sort. Its basic information
What is Insertion Sort. Its basic information
 
Genuine love spell caster )! ,+27834335081) Ex lover back permanently in At...
Genuine love spell caster )! ,+27834335081) Ex lover back permanently in At...Genuine love spell caster )! ,+27834335081) Ex lover back permanently in At...
Genuine love spell caster )! ,+27834335081) Ex lover back permanently in At...
 
Aggregations - The Elasticsearch "GROUP BY"
Aggregations - The Elasticsearch "GROUP BY"Aggregations - The Elasticsearch "GROUP BY"
Aggregations - The Elasticsearch "GROUP BY"
 
1:1原版定制伦敦政治经济学院毕业证(LSE毕业证)成绩单学位证书留信学历认证
1:1原版定制伦敦政治经济学院毕业证(LSE毕业证)成绩单学位证书留信学历认证1:1原版定制伦敦政治经济学院毕业证(LSE毕业证)成绩单学位证书留信学历认证
1:1原版定制伦敦政治经济学院毕业证(LSE毕业证)成绩单学位证书留信学历认证
 
NO1 Best Kala Jadu Expert Specialist In Germany Kala Jadu Expert Specialist I...
NO1 Best Kala Jadu Expert Specialist In Germany Kala Jadu Expert Specialist I...NO1 Best Kala Jadu Expert Specialist In Germany Kala Jadu Expert Specialist I...
NO1 Best Kala Jadu Expert Specialist In Germany Kala Jadu Expert Specialist I...
 
一比一原版阿德莱德大学毕业证成绩单如何办理
一比一原版阿德莱德大学毕业证成绩单如何办理一比一原版阿德莱德大学毕业证成绩单如何办理
一比一原版阿德莱德大学毕业证成绩单如何办理
 
Jual Obat Aborsi Bandung (Asli No.1) Wa 082134680322 Klinik Obat Penggugur Ka...
Jual Obat Aborsi Bandung (Asli No.1) Wa 082134680322 Klinik Obat Penggugur Ka...Jual Obat Aborsi Bandung (Asli No.1) Wa 082134680322 Klinik Obat Penggugur Ka...
Jual Obat Aborsi Bandung (Asli No.1) Wa 082134680322 Klinik Obat Penggugur Ka...
 
Abortion Clinic in Randfontein +27791653574 Randfontein WhatsApp Abortion Cli...
Abortion Clinic in Randfontein +27791653574 Randfontein WhatsApp Abortion Cli...Abortion Clinic in Randfontein +27791653574 Randfontein WhatsApp Abortion Cli...
Abortion Clinic in Randfontein +27791653574 Randfontein WhatsApp Abortion Cli...
 
如何办理(UPenn毕业证书)宾夕法尼亚大学毕业证成绩单本科硕士学位证留信学历认证
如何办理(UPenn毕业证书)宾夕法尼亚大学毕业证成绩单本科硕士学位证留信学历认证如何办理(UPenn毕业证书)宾夕法尼亚大学毕业证成绩单本科硕士学位证留信学历认证
如何办理(UPenn毕业证书)宾夕法尼亚大学毕业证成绩单本科硕士学位证留信学历认证
 
如何办理英国卡迪夫大学毕业证(Cardiff毕业证书)成绩单留信学历认证
如何办理英国卡迪夫大学毕业证(Cardiff毕业证书)成绩单留信学历认证如何办理英国卡迪夫大学毕业证(Cardiff毕业证书)成绩单留信学历认证
如何办理英国卡迪夫大学毕业证(Cardiff毕业证书)成绩单留信学历认证
 

INTERFACE by apidays 2023 - Production Ready GraphQL, Antoine Carossio & Tristan Kalos, Escape

  • 1. /46 Modern Application Security GraphQL Vulnerabilities in the Wild What scanning real-life GraphQL apps told us about Securing GraphQL in Production 1
  • 2.
  • 3. /46 About Escape First automated Security Testing platform able to test the business logic of APIs and GraphQL. https://app.escape.tech/ 2
  • 6. /46 1599 production APIs scanned 416 cumulative scan hours 5 46,809 security alerts found
  • 7. /46 30 security alerts per GraphQL app on average 6
  • 8. /46 Tristan Kalos Co-founder & CEO ✉ tristan@escape.tech 🐣 @tristankalos Antoine Carossio Co-founder & CTO ✉ antoine@escape.tech 🐣 @iCarossio 7 https://escape.tech/resources/state-of-graphql-security-2023/
  • 9. /46 Why is GraphQL vulnerable? 8
  • 10. /46 GraphQL is a query language for APIs 9
  • 11. /46 Why is GraphQL vulnerable? 1 – GraphQL is a full-featured language… 10
  • 12. /46 Why is GraphQL vulnerable? 1 – GraphQL is a full-featured language… 11 Operations Fields Directives Parameters Aliases Batches Fragments Query Depth Query Width
  • 13. /46 Why is GraphQL vulnerable? 2 - GraphQL is a graph… with a lot of different paths leading to the same resource 12
  • 14. /46 Why is GraphQL vulnerable? 1. stripe_token 2 - GraphQL is a graph… with a lot of different paths leading to the same resource 13
  • 15. /46 Why is GraphQL vulnerable? 1. stripe_token 2 - GraphQL is a graph… with a lot of different paths leading to the same resource 14
  • 16. /46 Why is GraphQL vulnerable? 1. stripe_token 2 - GraphQL is a graph… with a lot of different paths leading to the same resource Access control is a nightmare! 15
  • 17. /46 Why is is hard to test production GraphQL apps? 16
  • 18. /46 The two problems when testing GraphQL APIs Problem 1 : Classic testing cannot assess the business logic of APIs 17
  • 19. /46 The two problems when testing GraphQL APIs > Solution 1 : Feedback-Driven API Exploration 18
  • 20. /46 The two problems when testing GraphQL APIs > Solution 1 : Feedback-Driven API Exploration 19
  • 21. /46 The two problems when testing GraphQL APIs Problem 2 : GraphQL is a Graph… 1. stripe_token 20
  • 22. /46 The two problems when testing GraphQL APIs > Solution 2 : Recursively explore all paths in the graph 1. stripe_token 21
  • 25. /46 Which severity and category? 24
  • 26. /46 Which severity and category? 25 API:01 API:02 API:03 API:05 API:04 API:06 API:07 API:04 API:07 API:10 API:09 2019:08
  • 27. /46 Which severity and category? 26 API:01 API:02 API:03 API:05 API:04 API:06 API:07 API:04 API:07 API:10 API:09 2019:08
  • 28. /46 A lot are GraphQL-specific 27
  • 30. /46 Top vulnerability 1: Bruteforcing API requests (API:04) Batching: Multiple GraphQL Queries in one HTTP Request Aliasing: The same fields multiple times with aliases 29
  • 31. /46 Top vulnerability 1: Bruteforcing API requests (API:04) The problem: can be used to bypass rate limiting on login mutations = Bruteforce attack 30
  • 32. /46 Top vulnerability 2: Denial of Service (API:04) Fragments: a piece of logic that can be shared between multiple queries 31
  • 33. /46 Top vulnerability 2: Denial of Service (API:04) The problem: What if a fragment calls itself? Oops, you got an infinite recursion. 32
  • 34. /46 Top vulnerability 3: Internal API Schema Leak (API:07) The problem: Endpoints with disabled introspection still leaks underlying schema through field suggestio 33
  • 35. /46 Top vulnerability 3: Internal API Schema Leak (API:07) The problem: Endpoints with disabled introspection still leaks underlying API Schema through field suggestion using open source tool Clairvoyance, anybody can build back the full Schema. 34
  • 36. /46 Classic API vulnerabilities are still there 35
  • 37. /46 HTTP Errors, Access Control Issues, Injections 36
  • 38. /46 API Errors and Stacktraces disclosing internal data (API:07) The problem: Stack Traces give too much information on what’s vulnerable in your app 👀 (12% endpoints misconfigured) 37
  • 39. /46 Access Control issues (API:01,02,03,05) The problem: Most routes writing data (mutations) are not supposed to be accessible without authentication 38
  • 40. /46 Injections are still there (API2019:08) ● 16 SQL or NoSQL injections ● 1 bash command injection ● 3 Server Side Request Forgery 39
  • 41. /46 VI. Sensitive data made public! 40
  • 42. /46 4,493 potential PII and token leaks found. 41
  • 43. /46 4,493 potential PII and token leaks found. • Emails • Phone numbers • Passport numbers • Bank Account numbers 42
  • 44. /46 4,493 potential PII and token leaks found. • API Keys: AWS, GCP • Private RSA Keys • Auth Tokens: Adobe, Asana, Github… 43
  • 45. /46 44 ● DOS & Complexity issues: ○ API04: Unrestricted Resource Consumption < Due to GraphQL-specific features ● Access Control, Authentication and Authorization: ○ API01: Broken Object Level Authorization (BOLA) ○ API02: Broken Authentication ○ API03: Broken Object Property Level Authorization (BOPLA) ○ API05: Broken Function Level Authorization (BFLA) < Very common because of the graph nature of GraphQL ● Security Misconfiguration and Information Disclosure ○ API07: Security Misconfiguration < Federated GraphQL apps often forget to catch error messages from underlying APIs < Development features enabled in prod How does OWASP TOP 10 reflect in prod-ready GraphQL apps?
  • 46. /46 Conclusion, using unauthenticated API calls: ● We found 130k+ public GraphQL APIs into the wild and scanned 1599 of them ● Highlighted numerous vulnerabilities, most frequently GraphQL Specific, but not only ● Access control flaws and secret leaks are *very* frequent in GraphQL 45
  • 47. /46 Tristan Kalos Co-founder & CEO ✉ tristan@escape.tech 🐣 @tristankalos Antoine Carossio Co-founder & CTO ✉ antoine@escape.tech 🐣 @iCarossio 46/4 7 https://escape.tech/resources/state-of-graphql-security-2023/