This session will cover the dos and don'ts of designing secure GraphQL APIs by highlighting case studies and the OWASP risks connected with them. The goal is to give you the tools you need to be proactive and plan for threats earlier in the API lifecycle. In addition, you'll also learn about the challenges and security risks that GraphQL APIs face when compared to other popular API specifications and standards.
Building Real-Time Data Pipelines: Stream & Batch Processing workshop Slide
Don't Panic: A Developer's Guide to Building Secure GraphQL APIs
1. All rights reserved by Postman Inc
Don’t Panic:
A Developer’s Guide
to Building Secure
GraphQL APIs
Meenakshi Dhanani
Developer Relations Engineer,
GraphQL
2. You can’t beat me at getting
lost
Meenakshi Dhanani (aka Meena)
@mdhananii
Likes:
- Yoga, strength training
- Spanish
“
@getpostman @mdhananii
8. “
NATIONAL VULNERABILITY DATABASE
includes databases of security checklist references, security-related software
flaws, misconfigurations, product names, and impact metrics.
“Contrarily to simple REST APIs, GraphQL is a
language. Attackers have a broad attack surface
to craft malformed queries and exploit the
GraphQL Engine.”
Tristan Kalos,
Co-founder and CEO, Escape
@getpostman @mdhananii
12. Authentication
A common error that leads to the compromise of GraphQL
APIs is the absence of authentication. Choosing which layer
to perform the authentication at is a crucial decision.
Access Control
@getpostman @mdhananii
Context is an object that is shared by all the resolvers of
a specific execution. It is useful for storing data such as
authentication information, the current user
13. Authorization
Certain fields/types are exposed to users having different
roles if there aren’t checks in place.
Access Control
@getpostman @mdhananii
Define the business logic for the resolvers in the
middleware. Default deny, maintaining allowlist is safer
14. Nested Recursive Querying
GraphQL types can reference each other. A large nested
query can use recursion to build a circular query that brings
down the server.
Denial of Service
@getpostman @mdhananii
Max depth checks can prevent these attacks.
Fork the workspace : https://www.postman.com/devrel/workspace/graphql-security-101/overview
15. Batch Attack
GraphQL queries support batching, because they are
executed one after the other to save network resources.
These can be a good candidate for Denial of Service attacks
for certain resource intensive queries.
Denial of Service
@getpostman @mdhananii
Disable batching. Protect your system by having
rate limiting in place for queries that are resource
intensive. Query cost analysis is one such approach
for rate limiting.
Fork the workspace : https://www.postman.com/devrel/workspace/graphql-security-101/overview
16. Aliased Queries
Even if batching is disabled, operations can have aliases and
be allowed to repeatedly run and bring the system down.
Denial of Service
@getpostman @mdhananii
Keep an allowlist of approved queries you use in your own
application and instruct the server not to let any other queries
pass except those on the list
Fork the workspace : https://www.postman.com/devrel/workspace/graphql-security-101/overview
17. ● GraphQL Introspection
You can use the _schema query to learn about all the
fields and types in a schema, this could expose
certain sensitive fields, and the queries and mutations
that exist to attackers. Disable introspection in
production to avoid these attacks.
Information Disclosure
@getpostman @mdhananii
● Error Suggestions
If you query a schema with a typo in the field
name, GraphQL error message suggests the
name of field closely matching the name you
enter, this could leak sensitive data.
19. It takes 20 years to build a
reputation and few minutes of
cyber-incident to ruin it.
Stéphane Nappo
Global Chief Information Security Officer
DON’T PANIC
@getpostman @mdhananii
“
20. GraphQL Vulnerabilities
https://blog.escape.tech/tag/graphql-vulnerability/
Damn Vulnerable GraphQL Application
https://github.com/dolevf/Damn-Vulnerable-GraphQL-Application
Introduction to GraphQL security | Christina Hastenrath
https://youtu.be/aI-wI14D1nw
GraphQL Security Public Workspace
https://www.postman.com/devrel/workspace/graphql-security-101/overview
Additional Resources
@getpostman @mdhananii