![8
type Query {
hero: Character
}
type Character {
id: ID!
name: String
friends: [Character]
homeWorld: Planet
species: Species
}
type Planet {
name: String
climate: String
}
type Species {
name: String
lifespan: Int
origin: Planet
}
Schema](https://image.slidesharecdn.com/pentestinggraphqlv1-181122062004/85/Pentesting-GraphQL-Applications-8-320.jpg)
![{
users(search:
"{"username": {"$regex":
"sue"}, "email":
{"$regex": "sue"}}",
options: "{"skip":
0, "limit": 10}") {
_id
username
fullname
email
}
}
Custom Scalar Types
JSON Scalar
User Defined Types
Assertions about user input
16
type Query { users(search: JSON!, options: JSON!): [User] }](https://image.slidesharecdn.com/pentestinggraphqlv1-181122062004/85/Pentesting-GraphQL-Applications-16-320.jpg)
![30
{
"scripts": {
"postbuild": "persistgraphql src
api/query-whitelist.json"
}
}
import depthLimit from 'graphql-depth-limit'
import graphqlHTTP from 'express-graphql’
app.use('/graphql', graphqlHTTP((req, res) =>
({
schema,
validationRules: [ depthLimit(10) ]
})))
Persistgraphql
D
E
P
T
H
L
I
M
I
T](https://image.slidesharecdn.com/pentestinggraphqlv1-181122062004/85/Pentesting-GraphQL-Applications-30-320.jpg)
Uploaded byNeelu Tripathy
Pentesting GraphQL Applications
The document discusses penetration testing (pentesting) for GraphQL applications, highlighting its flexible structure and the risks associated with its implementation. It covers critical vulnerabilities, best practices for secure GraphQL usage, and tools like gqlparser for testing. The presentation also emphasizes the importance of strong type systems, query complexity management, and proper error handling in ensuring application security.
More Related Content
Similar to Pentesting GraphQL Applications
Pentesting GraphQL Applications
- 1. PENTESTING GRAPHQL APPLICATIONS Neelu Tripathy Presented@ bSides Delhi & c0c0n 2018 1
- 2. ▪ NotSoSecure GlobalServices Limited ▪ 8+ years of InfoSec experience ▪ Speaker / Trainer : c0c0n, NullCon, BlackHat 2017 ▪ Loves:Vulnerability Assessments And Penetration Tests For Web Applications And Networks,Threat Modelling, Design Reviews, Red Teaming, Social Engineering. ▪ OSCP-PWK ▪ br3akp0int@ Null ▪ @NeeluTripathy 2 Neelu Tripathy
- 3.
- 4. Rest ❑Data intensive perend point ❑Multiple API end points needed ❑Leads to Over fetching or Under fetching GraphQL ❑Flexible for rapid product iterations on the front end ❑Designs can change and won’t affect API ❑Fine grained ❑Low level performance monitoring ❑Strong schema and types ❑Easy structuring of requests between client and server 4
- 5. ❑Started 2011: Facebook ❑Lee Byron, Nick Schrock ❑Usage ❑Made public in 2015 ❑multiple interior endpoints to a single forward facing endpoint. ❑Vast Language support ❑Data Intensive Platforms 5
- 6.
- 7. Source: www.howtographql.com GQL Serverwith Connected Database GQLHybridArchitecture 7
- 8. 8 type Query { hero:Character } type Character { id: ID! name: String friends: [Character] homeWorld: Planet species: Species } type Planet { name: String climate: String } type Species { name: String lifespan: Int origin: Planet } Schema
- 9. 9 Query: { hero(id: “1q2w3e”){ name friends { homeworld{ name climate } species{ name lifespan } } } }
- 10.
- 11.
- 12. Pentesting Approach toGraphQL Applications 12
- 13. ❑Strong Type System ❑Langsec ❑Lexing,Parsing, Matching ❑Abstract Syntax Tree 13 LangSec Input Handling Code Input lang Processing Code Processing lang1 Processing lang2
- 14.
- 15. SQL Backend ▪ Unlessit fails: ▪ Validation in Type System(Schema) ▪ Resolver needs to sanitize variables 15
- 16. { users(search: "{"username": {"$regex": "sue"}, "email": {"$regex":"sue"}}", options: "{"skip": 0, "limit": 10}") { _id username fullname email } } Custom Scalar Types JSON Scalar User Defined Types Assertions about user input 16 type Query { users(search: JSON!, options: JSON!): [User] }
- 17. { users(search: "{"email": {"$gte": ""}}", options:"{"skip": 0, "limit": 10}") { _id username fullname email } } { users(search: "{"email": {"$gte": ""}}", options: "{"fields": {}}") { _id username fullname email } } 17 Source: http://www.petecorey.com/blog/2017/06/12/graphql-nosql-injection-through-json-types/
- 18.
- 19.
- 20. ▪ Affecting express-graphqlpackage, versions <0.4.11 >=0.4.0 var marked = require('marked'); console.log(marked('<script>al ert(1)</script>')); // Outputs: <script>alert(1)</script> marked.setOptions({sanitize: true}); console.log(marked('<script>al ert(1)</script>')); // Outputs: <p><script>alert(1)</ script></p> 20
- 21. ▪ Queries ❑Adding privileged parameters,id values, key, tokens to input params ❑Fetch more with unused output params ▪ Mutations ❑Try to change by replacing: ❑Relevant change parameters, ❑Look for any that define permissions, context, etc ❑Amount : fetch more than defaults 21
- 22. 22 How Not todo Authorization Correct Method
- 23. 23 ▪ /graphql ▪ /graphqlBatch ▪/graphql.php ▪ /graphiql ▪ /graphql/console/ ▪ /graphql.php?debug= 1 ▪ Try other Ports for interactive GQL Paths ▪ Schema based model enumeration: Fetching sensitive attributes ▪ Introspection : __schema ▪ Deprecated Nodes ▪ Crucial Attributes of an Object ▪ Data, links in description Schema Fetch All: Look For Cumulative Objects, group, collections, etc to get a list of all Entity
- 24.
- 25. ❑Error Verbosity, StackTrace, Exceptions ❑GraphQL, Client Errors ❑Error Policy: ▪ None ▪ Ignore ▪ All ❑Standard Response > OperationNames, Null, Line numbers, Fragment Names, etc 25
- 26.
- 27. ❑Authentication ❑Authorization(GQLVs Biz Logic) ❑ErrorHandling ❑Tampering?(Injections, XSS, others) ❑Information Exposure ❑IDOR(Don’t need to know URL, endpoint, query structure, only privileged parameter) ❑Single Point of Failure ❑Unpredictable Transaction volumes ❑Resource Optimization & DoS ▪ Processing Time-out ▪ Query Depth ▪ Complexity 27
- 28.
- 29. Best Practices: Implementation ❑Nullability ❑Pagination(AmountLimiting) ❑Server-Side Batching & Caching ❑Query Complexity(Query Cost Analysis: Resource, time, computation: resolver time) ❑Throttling(Time/Complexity) 29
- 30. 30 { "scripts": { "postbuild": "persistgraphqlsrc api/query-whitelist.json" } } import depthLimit from 'graphql-depth-limit' import graphqlHTTP from 'express-graphql’ app.use('/graphql', graphqlHTTP((req, res) => ({ schema, validationRules: [ depthLimit(10) ] }))) Persistgraphql D E P T H L I M I T
- 31.
- 32.
- 33. 33 ISSUES WHEN PENTESTINGGRAPHQL
- 34.
- 35.
- 36.
- 37. Python Based Extension: GQLParser Loadingin Burp Suite 37
- 38. ▪ Extension Detects,Parses GraphQL data ▪ Dynamic Input Fields presented for testing and editing ▪ Integrates with Scanner for full coverage ▪ Reduces noise ▪ https://github.com/br3akp0int/ GQLParser 38
- 39. AFTER 39 40 35 22 -5 0 5 10 15 20 0 2 46 8 10 NumberofAttackVectors Injection Points Percent of HTTP 400s
- 40. 40 AUTOMATION > OPTIMIZATION CORE GRAPHQLISSUES SECURE IMPLEMENTATION
- 41. 41 ▪ http://graphql.org/ ▪ https://www.howtographql.com/ ▪https://blog.graph.cool/ ▪ https://github.com/rm3l/docker-api-graphql ▪ https://mikewilliamson.wordpress.com/2016/09/15/graphql-and-security/ ▪ http://www.petecorey.com/blog/2017/06/12/graphql-nosql-injection-through-json- types/ ▪ https://github.com/rmosolgo/graphql-ruby/issues/167 ▪ https://snyk.io/vuln/npm:express-graphql ▪ https://raz0r.name/articles/looting-graphql-endpoints-for-fun-and-profit/ ▪ https://labs.detectify.com/2018/03/14/graphql-abuse/ ▪ https://nordicapis.com/security-points-to-consider-before-implementing-graphql/ ▪ https://github.com/br3akp0int/GQLParser @NeeluTripathy @br3akp0int