Successfully reported this slideshow.
Your SlideShare is downloading. ×

Pentesting GraphQL Applications

Ad
Ad
Ad
Ad
Ad
Ad
Ad
Ad
Ad
Ad
Ad
Loading in …3
×

Check these out next

1 of 41 Ad

Pentesting GraphQL Applications

My slides for understanding Pentesting for GraphQL Applications. I presented this content at c0c0n and bSides Delhi 2018. Also contains details of my Burp Extension for GraphQL parsing and scanning located here https://github.com/br3akp0int/GQLParser

My slides for understanding Pentesting for GraphQL Applications. I presented this content at c0c0n and bSides Delhi 2018. Also contains details of my Burp Extension for GraphQL parsing and scanning located here https://github.com/br3akp0int/GQLParser

Advertisement
Advertisement

More Related Content

Similar to Pentesting GraphQL Applications (20)

Advertisement

Recently uploaded (20)

Advertisement

Pentesting GraphQL Applications

  1. 1. PENTESTING GRAPHQL APPLICATIONS Neelu Tripathy Presented @ bSides Delhi & c0c0n 2018 1
  2. 2. ▪ NotSoSecure Global Services Limited ▪ 8+ years of InfoSec experience ▪ Speaker / Trainer : c0c0n, NullCon, BlackHat 2017 ▪ Loves:Vulnerability Assessments And Penetration Tests For Web Applications And Networks,Threat Modelling, Design Reviews, Red Teaming, Social Engineering. ▪ OSCP-PWK ▪ br3akp0int@ Null ▪ @NeeluTripathy 2 Neelu Tripathy
  3. 3. WHY? 01 How it works 02 Pentesting GQL 03 GQL Security 04 GQLParser & Scanner 05 Way Forward 06 3
  4. 4. Rest ❑Data intensive per end point ❑Multiple API end points needed ❑Leads to Over fetching or Under fetching GraphQL ❑Flexible for rapid product iterations on the front end ❑Designs can change and won’t affect API ❑Fine grained ❑Low level performance monitoring ❑Strong schema and types ❑Easy structuring of requests between client and server 4
  5. 5. ❑Started 2011: Facebook ❑ Lee Byron, Nick Schrock ❑Usage ❑Made public in 2015 ❑multiple interior endpoints to a single forward facing endpoint. ❑Vast Language support ❑Data Intensive Platforms 5
  6. 6. 6 Multiple language support Source:Npmjs.com
  7. 7. Source: www.howtographql.com GQL Server with Connected Database GQLHybridArchitecture 7
  8. 8. 8 type Query { hero: Character } type Character { id: ID! name: String friends: [Character] homeWorld: Planet species: Species } type Planet { name: String climate: String } type Species { name: String lifespan: Int origin: Planet } Schema
  9. 9. 9 Query: { hero(id: “1q2w3e”){ name friends { homeworld{ name climate } species { name lifespan } } } }
  10. 10. Mutation: { createHero(name: "Lucas2") { id name } } 10
  11. 11. newHero user1 user2 user4 user3 11 Subscription: subscription { newHero { id name } } N o t i f i c a t i o n
  12. 12. Pentesting Approach to GraphQL Applications 12
  13. 13. ❑Strong Type System ❑Langsec ❑Lexing, Parsing, Matching ❑Abstract Syntax Tree 13 LangSec Input Handling Code Input lang Processing Code Processing lang1 Processing lang2
  14. 14. S T R O N G T Y P E S Y S T E M 14
  15. 15. SQL Backend ▪ Unless it fails: ▪ Validation in Type System(Schema) ▪ Resolver needs to sanitize variables 15
  16. 16. { users(search: "{"username": {"$regex": "sue"}, "email": {"$regex": "sue"}}", options: "{"skip": 0, "limit": 10}") { _id username fullname email } } Custom Scalar Types JSON Scalar User Defined Types Assertions about user input 16 type Query { users(search: JSON!, options: JSON!): [User] }
  17. 17. { users(search: "{"email": {"$gte": ""}}", options: "{"skip": 0, "limit": 10}") { _id username fullname email } } { users(search: "{"email": {"$gte": ""}}", options: "{"fields": {}}") { _id username fullname email } } 17 Source: http://www.petecorey.com/blog/2017/06/12/graphql-nosql-injection-through-json-types/
  18. 18. 18 QUERY STRUCTURE
  19. 19. 19 DATA TYPE
  20. 20. ▪ Affecting express-graphql package, versions <0.4.11 >=0.4.0 var marked = require('marked'); console.log(marked('<script>al ert(1)</script>')); // Outputs: <script>alert(1)</script> marked.setOptions({sanitize: true}); console.log(marked('<script>al ert(1)</script>')); // Outputs: <p>&lt;script&gt;alert(1)&lt;/ script&gt;</p> 20
  21. 21. ▪ Queries ❑Adding privileged parameters, id values, key, tokens to input params ❑Fetch more with unused output params ▪ Mutations ❑Try to change by replacing: ❑Relevant change parameters, ❑Look for any that define permissions, context, etc ❑Amount : fetch more than defaults 21
  22. 22. 22 How Not to do Authorization Correct Method
  23. 23. 23 ▪ /graphql ▪ /graphqlBatch ▪ /graphql.php ▪ /graphiql ▪ /graphql/console/ ▪ /graphql.php?debug= 1 ▪ Try other Ports for interactive GQL Paths ▪ Schema based model enumeration: Fetching sensitive attributes ▪ Introspection : __schema ▪ Deprecated Nodes ▪ Crucial Attributes of an Object ▪ Data, links in description Schema Fetch All: Look For Cumulative Objects, group, collections, etc to get a list of all Entity
  24. 24. I N T R O S P E C T I O N 24
  25. 25. ❑Error Verbosity, Stack Trace, Exceptions ❑GraphQL, Client Errors ❑Error Policy: ▪ None ▪ Ignore ▪ All ❑Standard Response > OperationNames, Null, Line numbers, Fragment Names, etc 25
  26. 26. 26
  27. 27. ❑Authentication ❑Authorization(GQLVs Biz Logic) ❑Error Handling ❑Tampering?(Injections, XSS, others) ❑Information Exposure ❑IDOR(Don’t need to know URL, endpoint, query structure, only privileged parameter) ❑Single Point of Failure ❑Unpredictable Transaction volumes ❑Resource Optimization & DoS ▪ Processing Time-out ▪ Query Depth ▪ Complexity 27
  28. 28. C i r c u l a r a n d N e s t e d Q u e r i e s 28
  29. 29. Best Practices: Implementation ❑Nullability ❑Pagination(Amount Limiting) ❑Server-Side Batching & Caching ❑Query Complexity(Query Cost Analysis: Resource, time, computation: resolver time) ❑Throttling(Time/Complexity) 29
  30. 30. 30 { "scripts": { "postbuild": "persistgraphql src api/query-whitelist.json" } } import depthLimit from 'graphql-depth-limit' import graphqlHTTP from 'express-graphql’ app.use('/graphql', graphqlHTTP((req, res) => ({ schema, validationRules: [ depthLimit(10) ] }))) Persistgraphql D E P T H L I M I T
  31. 31. 31
  32. 32. 32
  33. 33. 33 ISSUES WHEN PENTESTING GRAPHQL
  34. 34. 34
  35. 35. BEFORE 35
  36. 36. DEMO GQLPARSER & SCANNER A BURP SUITE EXTENSION 36
  37. 37. Python Based Extension: GQLParser Loading in Burp Suite 37
  38. 38. ▪ Extension Detects, Parses GraphQL data ▪ Dynamic Input Fields presented for testing and editing ▪ Integrates with Scanner for full coverage ▪ Reduces noise ▪ https://github.com/br3akp0int/ GQLParser 38
  39. 39. AFTER 39 40 35 22 -5 0 5 10 15 20 0 2 4 6 8 10 NumberofAttackVectors Injection Points Percent of HTTP 400s
  40. 40. 40 AUTOMATION > OPTIMIZATION CORE GRAPHQL ISSUES SECURE IMPLEMENTATION
  41. 41. 41 ▪ http://graphql.org/ ▪ https://www.howtographql.com/ ▪ https://blog.graph.cool/ ▪ https://github.com/rm3l/docker-api-graphql ▪ https://mikewilliamson.wordpress.com/2016/09/15/graphql-and-security/ ▪ http://www.petecorey.com/blog/2017/06/12/graphql-nosql-injection-through-json- types/ ▪ https://github.com/rmosolgo/graphql-ruby/issues/167 ▪ https://snyk.io/vuln/npm:express-graphql ▪ https://raz0r.name/articles/looting-graphql-endpoints-for-fun-and-profit/ ▪ https://labs.detectify.com/2018/03/14/graphql-abuse/ ▪ https://nordicapis.com/security-points-to-consider-before-implementing-graphql/ ▪ https://github.com/br3akp0int/GQLParser @NeeluTripathy @br3akp0int

×