SlideShare a Scribd company logo

Don't Panic: A Developer's Guide to Building Secure GraphQL APIs

M
Meenakshi Dhanani

This session will cover the dos and don'ts of designing secure GraphQL APIs by highlighting case studies and the OWASP risks connected with them. The goal is to give you the tools you need to be proactive and plan for threats earlier in the API lifecycle. In addition, you'll also learn about the challenges and security risks that GraphQL APIs face when compared to other popular API specifications and standards.

Software
1 of 21
Download to read offline
All rights reserved by Postman Inc Don’t Panic: A Developer’s Guide to Building Secure GraphQL APIs Meenakshi Dhanani Developer Relations Engineer, GraphQL
You can’t beat me at getting lost Meenakshi Dhanani (aka Meena) 󰏝 @mdhananii Likes: - Yoga, strength training 󰙥 - Spanish 󰎼 “ @getpostman @mdhananii
GraphQL is just an API PANIC @getpostman @mdhananii
@getpostman @mdhananii
@getpostman @mdhananii
@getpostman @mdhananii
@getpostman @mdhananii
“ NATIONAL VULNERABILITY DATABASE includes databases of security checklist references, security-related software flaws, misconfigurations, product names, and impact metrics. “Contrarily to simple REST APIs, GraphQL is a language. Attackers have a broad attack surface to craft malformed queries and exploit the GraphQL Engine.” Tristan Kalos, Co-founder and CEO, Escape @getpostman @mdhananii
@getpostman @mdhananii
@getpostman @mdhananii Fork the workspace : https://www.postman.com/devrel/workspace/graphql-security-101/overview
Common Attack Surfaces BEWARE Fork the workspace : https://www.postman.com/devrel/workspace/graphql-security-101/overview @getpostman @mdhananii
Authentication A common error that leads to the compromise of GraphQL APIs is the absence of authentication. Choosing which layer to perform the authentication at is a crucial decision. Access Control @getpostman @mdhananii Context is an object that is shared by all the resolvers of a specific execution. It is useful for storing data such as authentication information, the current user
Authorization Certain fields/types are exposed to users having different roles if there aren’t checks in place. Access Control @getpostman @mdhananii Define the business logic for the resolvers in the middleware. Default deny, maintaining allowlist is safer
Nested Recursive Querying GraphQL types can reference each other. A large nested query can use recursion to build a circular query that brings down the server. Denial of Service @getpostman @mdhananii Max depth checks can prevent these attacks. Fork the workspace : https://www.postman.com/devrel/workspace/graphql-security-101/overview
Batch Attack GraphQL queries support batching, because they are executed one after the other to save network resources. These can be a good candidate for Denial of Service attacks for certain resource intensive queries. Denial of Service @getpostman @mdhananii Disable batching. Protect your system by having rate limiting in place for queries that are resource intensive. Query cost analysis is one such approach for rate limiting. Fork the workspace : https://www.postman.com/devrel/workspace/graphql-security-101/overview
Aliased Queries Even if batching is disabled, operations can have aliases and be allowed to repeatedly run and bring the system down. Denial of Service @getpostman @mdhananii Keep an allowlist of approved queries you use in your own application and instruct the server not to let any other queries pass except those on the list Fork the workspace : https://www.postman.com/devrel/workspace/graphql-security-101/overview
● GraphQL Introspection You can use the _schema query to learn about all the fields and types in a schema, this could expose certain sensitive fields, and the queries and mutations that exist to attackers. Disable introspection in production to avoid these attacks. Information Disclosure @getpostman @mdhananii ● Error Suggestions If you query a schema with a typo in the field name, GraphQL error message suggests the name of field closely matching the name you enter, this could leak sensitive data.
@getpostman @mdhananii Fork the workspace : https://www.postman.com/devrel/workspace/graphql-security-101/overview GraphQL Security 101
It takes 20 years to build a reputation and few minutes of cyber-incident to ruin it. Stéphane Nappo Global Chief Information Security Officer DON’T PANIC @getpostman @mdhananii “
GraphQL Vulnerabilities https://blog.escape.tech/tag/graphql-vulnerability/ Damn Vulnerable GraphQL Application https://github.com/dolevf/Damn-Vulnerable-GraphQL-Application Introduction to GraphQL security | Christina Hastenrath https://youtu.be/aI-wI14D1nw GraphQL Security Public Workspace https://www.postman.com/devrel/workspace/graphql-security-101/overview Additional Resources @getpostman @mdhananii
Thank You @getpostman @mdhananii

Recommended

Apidays Paris 2023 - Not Your Grandma’s Rate Limiting, Meenakshi Dhanani, Pos...
Apidays Paris 2023 - Not Your Grandma’s Rate Limiting, Meenakshi Dhanani, Pos...Apidays Paris 2023 - Not Your Grandma’s Rate Limiting, Meenakshi Dhanani, Pos...
Apidays Paris 2023 - Not Your Grandma’s Rate Limiting, Meenakshi Dhanani, Pos...apidays
 
Not Your Grandma’s Rate Limiting (slides)
Not Your Grandma’s Rate Limiting (slides)Not Your Grandma’s Rate Limiting (slides)
Not Your Grandma’s Rate Limiting (slides)Postman
 
Introduction to Chaos Engineering with Microsoft Azure
Introduction to Chaos Engineering with Microsoft AzureIntroduction to Chaos Engineering with Microsoft Azure
Introduction to Chaos Engineering with Microsoft AzureAna Medina
 
Hackazon realistic e-commerce Hack platform
Hackazon realistic e-commerce Hack platformHackazon realistic e-commerce Hack platform
Hackazon realistic e-commerce Hack platformIhor Uzhvenko
 
Addressing Web Application Security Vulnerabilities.pdf
Addressing Web Application Security Vulnerabilities.pdfAddressing Web Application Security Vulnerabilities.pdf
Addressing Web Application Security Vulnerabilities.pdfCecilSu
 
Your data is in Prometheus, now what? (CurrencyFair Engineering Meetup, 2016)
Your data is in Prometheus, now what? (CurrencyFair Engineering Meetup, 2016)Your data is in Prometheus, now what? (CurrencyFair Engineering Meetup, 2016)
Your data is in Prometheus, now what? (CurrencyFair Engineering Meetup, 2016)Brian Brazil
 
Micro frontend: The microservices puzzle extended to frontend
Micro frontend: The microservices puzzle extended to frontendMicro frontend: The microservices puzzle extended to frontend
Micro frontend: The microservices puzzle extended to frontendAudrey Neveu
 
Best practices with Microsoft Graph: Making your applications more performant...
Best practices with Microsoft Graph: Making your applications more performant...Best practices with Microsoft Graph: Making your applications more performant...
Best practices with Microsoft Graph: Making your applications more performant...Microsoft Tech Community
 

Recommended

Apidays Paris 2023 - Not Your Grandma’s Rate Limiting, Meenakshi Dhanani, Pos...
Apidays Paris 2023 - Not Your Grandma’s Rate Limiting, Meenakshi Dhanani, Pos...Apidays Paris 2023 - Not Your Grandma’s Rate Limiting, Meenakshi Dhanani, Pos...
Apidays Paris 2023 - Not Your Grandma’s Rate Limiting, Meenakshi Dhanani, Pos...apidays
 
Not Your Grandma’s Rate Limiting (slides)
Not Your Grandma’s Rate Limiting (slides)Not Your Grandma’s Rate Limiting (slides)
Not Your Grandma’s Rate Limiting (slides)Postman
 
Introduction to Chaos Engineering with Microsoft Azure
Introduction to Chaos Engineering with Microsoft AzureIntroduction to Chaos Engineering with Microsoft Azure
Introduction to Chaos Engineering with Microsoft AzureAna Medina
 
Hackazon realistic e-commerce Hack platform
Hackazon realistic e-commerce Hack platformHackazon realistic e-commerce Hack platform
Hackazon realistic e-commerce Hack platformIhor Uzhvenko
 
Addressing Web Application Security Vulnerabilities.pdf
Addressing Web Application Security Vulnerabilities.pdfAddressing Web Application Security Vulnerabilities.pdf
Addressing Web Application Security Vulnerabilities.pdfCecilSu
 
Your data is in Prometheus, now what? (CurrencyFair Engineering Meetup, 2016)
Your data is in Prometheus, now what? (CurrencyFair Engineering Meetup, 2016)Your data is in Prometheus, now what? (CurrencyFair Engineering Meetup, 2016)
Your data is in Prometheus, now what? (CurrencyFair Engineering Meetup, 2016)Brian Brazil
 
Micro frontend: The microservices puzzle extended to frontend
Micro frontend: The microservices puzzle extended to frontendMicro frontend: The microservices puzzle extended to frontend
Micro frontend: The microservices puzzle extended to frontendAudrey Neveu
 
Best practices with Microsoft Graph: Making your applications more performant...
Best practices with Microsoft Graph: Making your applications more performant...Best practices with Microsoft Graph: Making your applications more performant...
Best practices with Microsoft Graph: Making your applications more performant...Microsoft Tech Community
 
BA Resume
BA ResumeBA Resume
BA Resumemba_ezhil
 
Oracle RAC 12c Rel. 2 for Continuous Availability
Oracle RAC 12c Rel. 2 for Continuous AvailabilityOracle RAC 12c Rel. 2 for Continuous Availability
Oracle RAC 12c Rel. 2 for Continuous AvailabilityMarkus Michalewicz
 
PHP Security
PHP SecurityPHP Security
PHP SecurityMindfire Solutions
 
Business Applications Integration In The Cloud
Business Applications Integration In The CloudBusiness Applications Integration In The Cloud
Business Applications Integration In The CloudAnna Brzezińska
 
Innovating Faster with Continuous Application Security
Innovating Faster with Continuous Application Security Innovating Faster with Continuous Application Security
Innovating Faster with Continuous Application Security Jeff Williams
 
Application Performance: 6 Steps to Enhance Performance of Critical Systems
Application Performance: 6 Steps to Enhance Performance of Critical SystemsApplication Performance: 6 Steps to Enhance Performance of Critical Systems
Application Performance: 6 Steps to Enhance Performance of Critical SystemsCAST
 
The Practice of Chaos Engineering - Reactive Summit 2018 - Montreal, QC
The Practice of Chaos Engineering - Reactive Summit 2018 - Montreal, QCThe Practice of Chaos Engineering - Reactive Summit 2018 - Montreal, QC
The Practice of Chaos Engineering - Reactive Summit 2018 - Montreal, QCAna Medina
 
Abeeha_Profile
Abeeha_ProfileAbeeha_Profile
Abeeha_ProfileAbeeha Sheikh
 
System design for Web Application
System design for Web ApplicationSystem design for Web Application
System design for Web ApplicationMichael Choi
 
Security For Application Development
Security For Application DevelopmentSecurity For Application Development
Security For Application Development6502programmer
 
AppSec Threat Modeling with 5 Agile Design Diagrams Every Project Should Have
AppSec Threat Modeling with 5 Agile Design Diagrams Every Project Should HaveAppSec Threat Modeling with 5 Agile Design Diagrams Every Project Should Have
AppSec Threat Modeling with 5 Agile Design Diagrams Every Project Should HaveRobert Grupe, CSSLP CISSP PE PMP
 
Prometheus - Open Source Forum Japan
Prometheus - Open Source Forum JapanPrometheus - Open Source Forum Japan
Prometheus - Open Source Forum JapanBrian Brazil
 
Pillars of great Azure Architecture
Pillars of great Azure ArchitecturePillars of great Azure Architecture
Pillars of great Azure ArchitectureKarthikeyan VK
 
MySQL
MySQLMySQL
MySQLPT.JUG
 
Demystify Information Security & Threats for Data-Driven Platforms With Cheta...
Demystify Information Security & Threats for Data-Driven Platforms With Cheta...Demystify Information Security & Threats for Data-Driven Platforms With Cheta...
Demystify Information Security & Threats for Data-Driven Platforms With Cheta...Chetan Khatri
 
Pentest Application With GraphQL | Null Bangalore Meetup
Pentest Application With GraphQL | Null Bangalore Meetup Pentest Application With GraphQL | Null Bangalore Meetup
Pentest Application With GraphQL | Null Bangalore Meetup Divyanshu
 
Appreciative Advanced Blind SQLI Attack
Appreciative Advanced Blind SQLI AttackAppreciative Advanced Blind SQLI Attack
Appreciative Advanced Blind SQLI Attackijtsrd
 
apidays LIVE Paris - GraphQL meshes by Jens Neuse
apidays LIVE Paris - GraphQL meshes by Jens Neuseapidays LIVE Paris - GraphQL meshes by Jens Neuse
apidays LIVE Paris - GraphQL meshes by Jens Neuseapidays
 
MySQL Tech Tour Nov, 2013
MySQL Tech Tour Nov, 2013MySQL Tech Tour Nov, 2013
MySQL Tech Tour Nov, 2013Mysql Latinoamérica
 
[AWS Innovate 온라인 컨퍼런스] 간단한 Python 코드만으로 높은 성능의 기계 학습 모델 만들기 - 김무현, AWS Sr.데이...
[AWS Innovate 온라인 컨퍼런스] 간단한 Python 코드만으로 높은 성능의 기계 학습 모델 만들기 - 김무현, AWS Sr.데이...[AWS Innovate 온라인 컨퍼런스] 간단한 Python 코드만으로 높은 성능의 기계 학습 모델 만들기 - 김무현, AWS Sr.데이...
[AWS Innovate 온라인 컨퍼런스] 간단한 Python 코드만으로 높은 성능의 기계 학습 모델 만들기 - 김무현, AWS Sr.데이...Amazon Web Services Korea
 
Advancing Engineering with AI through the Next Generation of Strategic Projec...
Advancing Engineering with AI through the Next Generation of Strategic Projec...Advancing Engineering with AI through the Next Generation of Strategic Projec...
Advancing Engineering with AI through the Next Generation of Strategic Projec...OnePlan Solutions
 
(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...
(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...
(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...gurkirankumar98700
 

More Related Content

Similar to Don't Panic: A Developer's Guide to Building Secure GraphQL APIs

Oracle RAC 12c Rel. 2 for Continuous Availability
Oracle RAC 12c Rel. 2 for Continuous AvailabilityOracle RAC 12c Rel. 2 for Continuous Availability
Oracle RAC 12c Rel. 2 for Continuous AvailabilityMarkus Michalewicz
 
Business Applications Integration In The Cloud
Business Applications Integration In The CloudBusiness Applications Integration In The Cloud
Business Applications Integration In The CloudAnna Brzezińska
 
Innovating Faster with Continuous Application Security
Innovating Faster with Continuous Application Security Innovating Faster with Continuous Application Security
Innovating Faster with Continuous Application Security Jeff Williams
 
Application Performance: 6 Steps to Enhance Performance of Critical Systems
Application Performance: 6 Steps to Enhance Performance of Critical SystemsApplication Performance: 6 Steps to Enhance Performance of Critical Systems
Application Performance: 6 Steps to Enhance Performance of Critical SystemsCAST
 
The Practice of Chaos Engineering - Reactive Summit 2018 - Montreal, QC
The Practice of Chaos Engineering - Reactive Summit 2018 - Montreal, QCThe Practice of Chaos Engineering - Reactive Summit 2018 - Montreal, QC
The Practice of Chaos Engineering - Reactive Summit 2018 - Montreal, QCAna Medina
 
System design for Web Application
System design for Web ApplicationSystem design for Web Application
System design for Web ApplicationMichael Choi
 
Security For Application Development
Security For Application DevelopmentSecurity For Application Development
Security For Application Development6502programmer
 
AppSec Threat Modeling with 5 Agile Design Diagrams Every Project Should Have
AppSec Threat Modeling with 5 Agile Design Diagrams Every Project Should HaveAppSec Threat Modeling with 5 Agile Design Diagrams Every Project Should Have
AppSec Threat Modeling with 5 Agile Design Diagrams Every Project Should HaveRobert Grupe, CSSLP CISSP PE PMP
 
Prometheus - Open Source Forum Japan
Prometheus - Open Source Forum JapanPrometheus - Open Source Forum Japan
Prometheus - Open Source Forum JapanBrian Brazil
 
Pillars of great Azure Architecture
Pillars of great Azure ArchitecturePillars of great Azure Architecture
Pillars of great Azure ArchitectureKarthikeyan VK
 
Demystify Information Security & Threats for Data-Driven Platforms With Cheta...
Demystify Information Security & Threats for Data-Driven Platforms With Cheta...Demystify Information Security & Threats for Data-Driven Platforms With Cheta...
Demystify Information Security & Threats for Data-Driven Platforms With Cheta...Chetan Khatri
 
Pentest Application With GraphQL | Null Bangalore Meetup
Pentest Application With GraphQL | Null Bangalore Meetup Pentest Application With GraphQL | Null Bangalore Meetup
Pentest Application With GraphQL | Null Bangalore Meetup Divyanshu
 
Appreciative Advanced Blind SQLI Attack
Appreciative Advanced Blind SQLI AttackAppreciative Advanced Blind SQLI Attack
Appreciative Advanced Blind SQLI Attackijtsrd
 
apidays LIVE Paris - GraphQL meshes by Jens Neuse
apidays LIVE Paris - GraphQL meshes by Jens Neuseapidays LIVE Paris - GraphQL meshes by Jens Neuse
apidays LIVE Paris - GraphQL meshes by Jens Neuseapidays
 
[AWS Innovate 온라인 컨퍼런스] 간단한 Python 코드만으로 높은 성능의 기계 학습 모델 만들기 - 김무현, AWS Sr.데이...
[AWS Innovate 온라인 컨퍼런스] 간단한 Python 코드만으로 높은 성능의 기계 학습 모델 만들기 - 김무현, AWS Sr.데이...[AWS Innovate 온라인 컨퍼런스] 간단한 Python 코드만으로 높은 성능의 기계 학습 모델 만들기 - 김무현, AWS Sr.데이...
[AWS Innovate 온라인 컨퍼런스] 간단한 Python 코드만으로 높은 성능의 기계 학습 모델 만들기 - 김무현, AWS Sr.데이...Amazon Web Services Korea
 

Similar to Don't Panic: A Developer's Guide to Building Secure GraphQL APIs (20)

BA Resume
BA ResumeBA Resume
BA Resume
 
Oracle RAC 12c Rel. 2 for Continuous Availability
Oracle RAC 12c Rel. 2 for Continuous AvailabilityOracle RAC 12c Rel. 2 for Continuous Availability
Oracle RAC 12c Rel. 2 for Continuous Availability
 
PHP Security
PHP SecurityPHP Security
PHP Security
 
Business Applications Integration In The Cloud
Business Applications Integration In The CloudBusiness Applications Integration In The Cloud
Business Applications Integration In The Cloud
 
Innovating Faster with Continuous Application Security
Innovating Faster with Continuous Application Security Innovating Faster with Continuous Application Security
Innovating Faster with Continuous Application Security
 
Application Performance: 6 Steps to Enhance Performance of Critical Systems
Application Performance: 6 Steps to Enhance Performance of Critical SystemsApplication Performance: 6 Steps to Enhance Performance of Critical Systems
Application Performance: 6 Steps to Enhance Performance of Critical Systems
 
The Practice of Chaos Engineering - Reactive Summit 2018 - Montreal, QC
The Practice of Chaos Engineering - Reactive Summit 2018 - Montreal, QCThe Practice of Chaos Engineering - Reactive Summit 2018 - Montreal, QC
The Practice of Chaos Engineering - Reactive Summit 2018 - Montreal, QC
 
Abeeha_Profile
Abeeha_ProfileAbeeha_Profile
Abeeha_Profile
 
System design for Web Application
System design for Web ApplicationSystem design for Web Application
System design for Web Application
 
Security For Application Development
Security For Application DevelopmentSecurity For Application Development
Security For Application Development
 
AppSec Threat Modeling with 5 Agile Design Diagrams Every Project Should Have
AppSec Threat Modeling with 5 Agile Design Diagrams Every Project Should HaveAppSec Threat Modeling with 5 Agile Design Diagrams Every Project Should Have
AppSec Threat Modeling with 5 Agile Design Diagrams Every Project Should Have
 
Prometheus - Open Source Forum Japan
Prometheus - Open Source Forum JapanPrometheus - Open Source Forum Japan
Prometheus - Open Source Forum Japan
 
Pillars of great Azure Architecture
Pillars of great Azure ArchitecturePillars of great Azure Architecture
Pillars of great Azure Architecture
 
MySQL
MySQLMySQL
MySQL
 
Demystify Information Security & Threats for Data-Driven Platforms With Cheta...
Demystify Information Security & Threats for Data-Driven Platforms With Cheta...Demystify Information Security & Threats for Data-Driven Platforms With Cheta...
Demystify Information Security & Threats for Data-Driven Platforms With Cheta...
 
Pentest Application With GraphQL | Null Bangalore Meetup
Pentest Application With GraphQL | Null Bangalore Meetup Pentest Application With GraphQL | Null Bangalore Meetup
Pentest Application With GraphQL | Null Bangalore Meetup
 
Appreciative Advanced Blind SQLI Attack
Appreciative Advanced Blind SQLI AttackAppreciative Advanced Blind SQLI Attack
Appreciative Advanced Blind SQLI Attack
 
apidays LIVE Paris - GraphQL meshes by Jens Neuse
apidays LIVE Paris - GraphQL meshes by Jens Neuseapidays LIVE Paris - GraphQL meshes by Jens Neuse
apidays LIVE Paris - GraphQL meshes by Jens Neuse
 
MySQL Tech Tour Nov, 2013
MySQL Tech Tour Nov, 2013MySQL Tech Tour Nov, 2013
MySQL Tech Tour Nov, 2013
 
[AWS Innovate 온라인 컨퍼런스] 간단한 Python 코드만으로 높은 성능의 기계 학습 모델 만들기 - 김무현, AWS Sr.데이...
[AWS Innovate 온라인 컨퍼런스] 간단한 Python 코드만으로 높은 성능의 기계 학습 모델 만들기 - 김무현, AWS Sr.데이...[AWS Innovate 온라인 컨퍼런스] 간단한 Python 코드만으로 높은 성능의 기계 학습 모델 만들기 - 김무현, AWS Sr.데이...
[AWS Innovate 온라인 컨퍼런스] 간단한 Python 코드만으로 높은 성능의 기계 학습 모델 만들기 - 김무현, AWS Sr.데이...
 

Recently uploaded

Advancing Engineering with AI through the Next Generation of Strategic Projec...
Advancing Engineering with AI through the Next Generation of Strategic Projec...Advancing Engineering with AI through the Next Generation of Strategic Projec...
Advancing Engineering with AI through the Next Generation of Strategic Projec...OnePlan Solutions
 
(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...
(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...
(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...gurkirankumar98700
 
Russian Call Girls in Karol Bagh Aasnvi ➡️ 8264348440 💋📞 Independent Escort S...
Russian Call Girls in Karol Bagh Aasnvi ➡️ 8264348440 💋📞 Independent Escort S...Russian Call Girls in Karol Bagh Aasnvi ➡️ 8264348440 💋📞 Independent Escort S...
Russian Call Girls in Karol Bagh Aasnvi ➡️ 8264348440 💋📞 Independent Escort S...soniya singh
 
Software Quality Assurance Interview Questions
Software Quality Assurance Interview QuestionsSoftware Quality Assurance Interview Questions
Software Quality Assurance Interview QuestionsArshad QA
 
The Essentials of Digital Experience Monitoring_ A Comprehensive Guide.pdf
The Essentials of Digital Experience Monitoring_ A Comprehensive Guide.pdfThe Essentials of Digital Experience Monitoring_ A Comprehensive Guide.pdf
The Essentials of Digital Experience Monitoring_ A Comprehensive Guide.pdfkalichargn70th171
 
why an Opensea Clone Script might be your perfect match.pdf
why an Opensea Clone Script might be your perfect match.pdfwhy an Opensea Clone Script might be your perfect match.pdf
why an Opensea Clone Script might be your perfect match.pdfjoe51371421
 
Adobe Marketo Engage Deep Dives: Using Webhooks to Transfer Data
Adobe Marketo Engage Deep Dives: Using Webhooks to Transfer DataAdobe Marketo Engage Deep Dives: Using Webhooks to Transfer Data
Adobe Marketo Engage Deep Dives: Using Webhooks to Transfer DataBradBedford3
 
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...MyIntelliSource, Inc.
 
Hand gesture recognition PROJECT PPT.pptx
Hand gesture recognition PROJECT PPT.pptxHand gesture recognition PROJECT PPT.pptx
Hand gesture recognition PROJECT PPT.pptxbodapatigopi8531
 
What is Binary Language? Computer Number Systems
What is Binary Language? Computer Number SystemsWhat is Binary Language? Computer Number Systems
What is Binary Language? Computer Number SystemsJheuzeDellosa
 
CALL ON ➥8923113531 🔝Call Girls Kakori Lucknow best sexual service Online ☂️
CALL ON ➥8923113531 🔝Call Girls Kakori Lucknow best sexual service Online ☂️CALL ON ➥8923113531 🔝Call Girls Kakori Lucknow best sexual service Online ☂️
CALL ON ➥8923113531 🔝Call Girls Kakori Lucknow best sexual service Online ☂️anilsa9823
 
Der Spagat zwischen BIAS und FAIRNESS (2024)
Der Spagat zwischen BIAS und FAIRNESS (2024)Der Spagat zwischen BIAS und FAIRNESS (2024)
Der Spagat zwischen BIAS und FAIRNESS (2024)OPEN KNOWLEDGE GmbH
 
Unveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
Unveiling the Tech Salsa of LAMs with Janus in Real-Time ApplicationsUnveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
Unveiling the Tech Salsa of LAMs with Janus in Real-Time ApplicationsAlberto González Trastoy
 
Test Automation Strategy for Frontend and Backend
Test Automation Strategy for Frontend and BackendTest Automation Strategy for Frontend and Backend
Test Automation Strategy for Frontend and BackendArshad QA
 
Unlocking the Future of AI Agents with Large Language Models
Unlocking the Future of AI Agents with Large Language ModelsUnlocking the Future of AI Agents with Large Language Models
Unlocking the Future of AI Agents with Large Language Modelsaagamshah0812
 
Optimizing AI for immediate response in Smart CCTV
Optimizing AI for immediate response in Smart CCTVOptimizing AI for immediate response in Smart CCTV
Optimizing AI for immediate response in Smart CCTVshikhaohhpro
 
Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...
Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...
Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...kellynguyen01
 
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...ICS
 
Building Real-Time Data Pipelines: Stream & Batch Processing workshop Slide
Building Real-Time Data Pipelines: Stream & Batch Processing workshop SlideBuilding Real-Time Data Pipelines: Stream & Batch Processing workshop Slide
Building Real-Time Data Pipelines: Stream & Batch Processing workshop SlideChristina Lin
 

Recently uploaded (20)

Advancing Engineering with AI through the Next Generation of Strategic Projec...
Advancing Engineering with AI through the Next Generation of Strategic Projec...Advancing Engineering with AI through the Next Generation of Strategic Projec...
Advancing Engineering with AI through the Next Generation of Strategic Projec...
 
(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...
(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...
(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...
 
Russian Call Girls in Karol Bagh Aasnvi ➡️ 8264348440 💋📞 Independent Escort S...
Russian Call Girls in Karol Bagh Aasnvi ➡️ 8264348440 💋📞 Independent Escort S...Russian Call Girls in Karol Bagh Aasnvi ➡️ 8264348440 💋📞 Independent Escort S...
Russian Call Girls in Karol Bagh Aasnvi ➡️ 8264348440 💋📞 Independent Escort S...
 
Software Quality Assurance Interview Questions
Software Quality Assurance Interview QuestionsSoftware Quality Assurance Interview Questions
Software Quality Assurance Interview Questions
 
The Essentials of Digital Experience Monitoring_ A Comprehensive Guide.pdf
The Essentials of Digital Experience Monitoring_ A Comprehensive Guide.pdfThe Essentials of Digital Experience Monitoring_ A Comprehensive Guide.pdf
The Essentials of Digital Experience Monitoring_ A Comprehensive Guide.pdf
 
why an Opensea Clone Script might be your perfect match.pdf
why an Opensea Clone Script might be your perfect match.pdfwhy an Opensea Clone Script might be your perfect match.pdf
why an Opensea Clone Script might be your perfect match.pdf
 
Adobe Marketo Engage Deep Dives: Using Webhooks to Transfer Data
Adobe Marketo Engage Deep Dives: Using Webhooks to Transfer DataAdobe Marketo Engage Deep Dives: Using Webhooks to Transfer Data
Adobe Marketo Engage Deep Dives: Using Webhooks to Transfer Data
 
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...
 
Hand gesture recognition PROJECT PPT.pptx
Hand gesture recognition PROJECT PPT.pptxHand gesture recognition PROJECT PPT.pptx
Hand gesture recognition PROJECT PPT.pptx
 
What is Binary Language? Computer Number Systems
What is Binary Language? Computer Number SystemsWhat is Binary Language? Computer Number Systems
What is Binary Language? Computer Number Systems
 
CALL ON ➥8923113531 🔝Call Girls Kakori Lucknow best sexual service Online ☂️
CALL ON ➥8923113531 🔝Call Girls Kakori Lucknow best sexual service Online ☂️CALL ON ➥8923113531 🔝Call Girls Kakori Lucknow best sexual service Online ☂️
CALL ON ➥8923113531 🔝Call Girls Kakori Lucknow best sexual service Online ☂️
 
Der Spagat zwischen BIAS und FAIRNESS (2024)
Der Spagat zwischen BIAS und FAIRNESS (2024)Der Spagat zwischen BIAS und FAIRNESS (2024)
Der Spagat zwischen BIAS und FAIRNESS (2024)
 
Unveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
Unveiling the Tech Salsa of LAMs with Janus in Real-Time ApplicationsUnveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
Unveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
 
Test Automation Strategy for Frontend and Backend
Test Automation Strategy for Frontend and BackendTest Automation Strategy for Frontend and Backend
Test Automation Strategy for Frontend and Backend
 
Unlocking the Future of AI Agents with Large Language Models
Unlocking the Future of AI Agents with Large Language ModelsUnlocking the Future of AI Agents with Large Language Models
Unlocking the Future of AI Agents with Large Language Models
 
Optimizing AI for immediate response in Smart CCTV
Optimizing AI for immediate response in Smart CCTVOptimizing AI for immediate response in Smart CCTV
Optimizing AI for immediate response in Smart CCTV
 
Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...
Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...
Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...
 
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
 
Exploring iOS App Development: Simplifying the Process
Exploring iOS App Development: Simplifying the ProcessExploring iOS App Development: Simplifying the Process
Exploring iOS App Development: Simplifying the Process
 
Building Real-Time Data Pipelines: Stream & Batch Processing workshop Slide
Building Real-Time Data Pipelines: Stream & Batch Processing workshop SlideBuilding Real-Time Data Pipelines: Stream & Batch Processing workshop Slide
Building Real-Time Data Pipelines: Stream & Batch Processing workshop Slide
 

Don't Panic: A Developer's Guide to Building Secure GraphQL APIs

  • 1. All rights reserved by Postman Inc Don’t Panic: A Developer’s Guide to Building Secure GraphQL APIs Meenakshi Dhanani Developer Relations Engineer, GraphQL
  • 2. You can’t beat me at getting lost Meenakshi Dhanani (aka Meena) 󰏝 @mdhananii Likes: - Yoga, strength training 󰙥 - Spanish 󰎼 “ @getpostman @mdhananii
  • 3. GraphQL is just an API PANIC @getpostman @mdhananii
  • 8. “ NATIONAL VULNERABILITY DATABASE includes databases of security checklist references, security-related software flaws, misconfigurations, product names, and impact metrics. “Contrarily to simple REST APIs, GraphQL is a language. Attackers have a broad attack surface to craft malformed queries and exploit the GraphQL Engine.” Tristan Kalos, Co-founder and CEO, Escape @getpostman @mdhananii
  • 10. @getpostman @mdhananii Fork the workspace : https://www.postman.com/devrel/workspace/graphql-security-101/overview
  • 11. Common Attack Surfaces BEWARE Fork the workspace : https://www.postman.com/devrel/workspace/graphql-security-101/overview @getpostman @mdhananii
  • 12. Authentication A common error that leads to the compromise of GraphQL APIs is the absence of authentication. Choosing which layer to perform the authentication at is a crucial decision. Access Control @getpostman @mdhananii Context is an object that is shared by all the resolvers of a specific execution. It is useful for storing data such as authentication information, the current user
  • 13. Authorization Certain fields/types are exposed to users having different roles if there aren’t checks in place. Access Control @getpostman @mdhananii Define the business logic for the resolvers in the middleware. Default deny, maintaining allowlist is safer
  • 14. Nested Recursive Querying GraphQL types can reference each other. A large nested query can use recursion to build a circular query that brings down the server. Denial of Service @getpostman @mdhananii Max depth checks can prevent these attacks. Fork the workspace : https://www.postman.com/devrel/workspace/graphql-security-101/overview
  • 15. Batch Attack GraphQL queries support batching, because they are executed one after the other to save network resources. These can be a good candidate for Denial of Service attacks for certain resource intensive queries. Denial of Service @getpostman @mdhananii Disable batching. Protect your system by having rate limiting in place for queries that are resource intensive. Query cost analysis is one such approach for rate limiting. Fork the workspace : https://www.postman.com/devrel/workspace/graphql-security-101/overview
  • 16. Aliased Queries Even if batching is disabled, operations can have aliases and be allowed to repeatedly run and bring the system down. Denial of Service @getpostman @mdhananii Keep an allowlist of approved queries you use in your own application and instruct the server not to let any other queries pass except those on the list Fork the workspace : https://www.postman.com/devrel/workspace/graphql-security-101/overview
  • 17. ● GraphQL Introspection You can use the _schema query to learn about all the fields and types in a schema, this could expose certain sensitive fields, and the queries and mutations that exist to attackers. Disable introspection in production to avoid these attacks. Information Disclosure @getpostman @mdhananii ● Error Suggestions If you query a schema with a typo in the field name, GraphQL error message suggests the name of field closely matching the name you enter, this could leak sensitive data.
  • 18. @getpostman @mdhananii Fork the workspace : https://www.postman.com/devrel/workspace/graphql-security-101/overview GraphQL Security 101
  • 19. It takes 20 years to build a reputation and few minutes of cyber-incident to ruin it. Stéphane Nappo Global Chief Information Security Officer DON’T PANIC @getpostman @mdhananii “
  • 20. GraphQL Vulnerabilities https://blog.escape.tech/tag/graphql-vulnerability/ Damn Vulnerable GraphQL Application https://github.com/dolevf/Damn-Vulnerable-GraphQL-Application Introduction to GraphQL security | Christina Hastenrath https://youtu.be/aI-wI14D1nw GraphQL Security Public Workspace https://www.postman.com/devrel/workspace/graphql-security-101/overview Additional Resources @getpostman @mdhananii