Uploaded byKavishaSheth1
125 views

Attacking GraphQL

This document discusses attacking GraphQL APIs. It begins with an overview of GraphQL, how it differs from REST APIs, and key GraphQL concepts like queries, mutations, and introspection. It then explains how introspection can be dangerous by revealing an API's schema. Various vulnerabilities are covered like information disclosure, IDOR, injections, and authorization bypass. Tools for analyzing GraphQL APIs are also listed. The document concludes with examples of exploiting common vulnerabilities like stored XSS, authorization bypass, and OS command injection.

Embed presentation

Attacking GraphQL Kavisha Sheth
What to Expect ● What is GraphQL ● How GraphQL differs from Rest API ● How does GraphQL works ● GraphQL Terminologies ● Introspection ● Why Introspection can be dangerous ● Tools ● Common vulnerabilities & how to exploit them
What is GraphQL? GraphQL is query language used by APIs to access data from the database through a single endpoint and it make this possible by using a defined schema which specifies exactly what we want to access.
How GraphQL differs from Rest API ? ❖ Rest API ● It fetches all data, whether required or not ( “over-fetching”). ● It makes multiple network requests to get multiple resources. ❖ GraphQL ● GraphQL allows multiple resource requests in a single query call ● Saves time and bandwidth ● Increased complexity == more error
https://www.apollographql.com/blog/how-do-i-graphql- 2fcabfc94a01/
Where to find endpoints? GraphQL usually located at specific endpoints ● /graphql ● /qql ● /graphiql ● /graphql/console ● /graph ● /graphql.php Also, look for request and response referencing for queries and mutations
GraphQL Terminologies ● Query : To fetch the data ● Mutations: To modify the data ● Fields: It’s specify that exactly what data we want to receive. ● Node : Object containing the data ● Edge : Connect two nodes
Query
Mutation
Introspection GraphQL server supports introspection over its schema using the same GraphQL query language. A server exposes the following introspection queries on the Query operation type. ● __schema : Which enable us to fetch whole schema ● __type : What types schema has ● __queryType : What are the operation available in the schema
Introspection Query
https://apis.guru/graphql-voyager/
Using Introspection for evil purpose ● Get all Queries ● Get all mutations ● Look for error message/ stack trace ● Look for sensitive informations
Enumeration using error message It reveals actual value
Tools ● InQL burp extension ● GraphQL IDE ● Altair Graphql IDE ● GraphQL map ● graphql-path-enum
Attacking GraphQL
Vulnerabilities worth looking for !! ● Information Disclosure ● IDOR ● Injections ● Denial of Service ● Authorization Bypass ● Business Logic
Injection :: Stored Cross Site Scripting
Authorization Bypass :: GraphQL Interface Protection Bypass
Code Execution :: OS Command Injection
Thank you

More Related Content

PDF
Pentesting GraphQL Applications
byNeelu Tripathy
 
ODP
Introduction to Swagger
byKnoldus Inc.
 
PDF
Attacking and defending GraphQL applications: a hands-on approach
byDavide Cioccia
 
PDF
OWASP Top 10 A4 – Insecure Direct Object Reference
byNarudom Roongsiriwong, CISSP
 
PPT
Pentest Application With GraphQL | Null Bangalore Meetup
byDivyanshu
 
PDF
Pentesting Rest API's by :- Gaurang Bhatnagar
byOWASP Delhi
 
PDF
Swagger
byNexThoughts Technologies
 
PPTX
Introducing Swagger
byTony Tam
 
Pentesting GraphQL Applications
byNeelu Tripathy
 
Introduction to Swagger
byKnoldus Inc.
 
Attacking and defending GraphQL applications: a hands-on approach
byDavide Cioccia
 
OWASP Top 10 A4 – Insecure Direct Object Reference
byNarudom Roongsiriwong, CISSP
 
Pentest Application With GraphQL | Null Bangalore Meetup
byDivyanshu
 
Pentesting Rest API's by :- Gaurang Bhatnagar
byOWASP Delhi
 
Swagger
byNexThoughts Technologies
 
Introducing Swagger
byTony Tam
 

What's hot

PPTX
Nextjs13.pptx
byDivyanshGupta922023
 
PDF
RESTful Web Services
byChristopher Bartling
 
PPTX
Angular overview
byThanvilahari
 
PPTX
Rest API Security
byStormpath
 
PDF
REST vs GraphQL
bySquareboat
 
PPTX
Api Testing
byVishwanath KC
 
PPTX
API Docs with OpenAPI 3.0
byFabrizio Ferri-Benedetti
 
PDF
TypeScript - An Introduction
byNexThoughts Technologies
 
PPTX
REST API Design & Development
byAshok Pundit
 
PDF
TypeScript Introduction
byDmitry Sheiko
 
PPTX
GraphQL Introduction
bySerge Huber
 
PDF
CSRF, ClickJacking & Open Redirect
byBlueinfy Solutions
 
PDF
REST API and CRUD
byPrem Sanil
 
PPTX
Selenium-Locators
byMithilesh Singh
 
PPTX
Restful api
byAnurag Srivastava
 
PDF
API Testing
byBikash Sharma
 
PDF
The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016
byFrans Rosén
 
PPTX
Owasp Top 10 A1: Injection
byMichael Hendrickx
 
PDF
Bug Bounty Hunter Methodology - Nullcon 2016
bybugcrowd
 
PDF
Hacking and Defending APIs - Red and Blue make Purple.pdf
byMatt Tesauro
 
Nextjs13.pptx
byDivyanshGupta922023
 
RESTful Web Services
byChristopher Bartling
 
Angular overview
byThanvilahari
 
Rest API Security
byStormpath
 
REST vs GraphQL
bySquareboat
 
Api Testing
byVishwanath KC
 
API Docs with OpenAPI 3.0
byFabrizio Ferri-Benedetti
 
TypeScript - An Introduction
byNexThoughts Technologies
 
REST API Design & Development
byAshok Pundit
 
TypeScript Introduction
byDmitry Sheiko
 
GraphQL Introduction
bySerge Huber
 
CSRF, ClickJacking & Open Redirect
byBlueinfy Solutions
 
REST API and CRUD
byPrem Sanil
 
Selenium-Locators
byMithilesh Singh
 
Restful api
byAnurag Srivastava
 
API Testing
byBikash Sharma
 
The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016
byFrans Rosén
 
Owasp Top 10 A1: Injection
byMichael Hendrickx
 
Bug Bounty Hunter Methodology - Nullcon 2016
bybugcrowd
 
Hacking and Defending APIs - Red and Blue make Purple.pdf
byMatt Tesauro
 

Similar to Attacking GraphQL

PPTX
Working and Attacking GraphQL APIs vs Rest API
byMatrix823409
 
PDF
APIsecure 2023 - Learn how to attack and mitigate vulnerabilities in GraphQL,...
byapidays
 
PDF
GraphQL Bangkok meetup 5.0
byTobias Meixner
 
PDF
Avoiding GraphQL insecurities with OWASP SKF - OWASP HU meetup
byDavide Cioccia
 
PPTX
GraphQL with api development of all details
byPateljeel7
 
PDF
GraphQL + relay
byCédric GILLET
 
PPTX
Introduction to GraphQL (A modern representation of APIs)
byPanchalAditya6
 
PPTX
Introduction to GraphQL
byRodrigo Prates
 
PPTX
Introduction to GraphQL Presentation.pptx
byKnoldus Inc.
 
PDF
Let's start GraphQL: structure, behavior, and architecture
byAndrii Gakhov
 
PDF
GraphQL the holy contract between client and server
byPavel Chertorogov
 
PPTX
Introduction to Testing GraphQL Presentation
byKnoldus Inc.
 
PPTX
Testing Graph QL Presentation (Test Automation)
byKnoldus Inc.
 
PPTX
Graphql
byGirish Talekar
 
PPTX
GraphQL - an elegant weapon... for more civilized age
byBartosz Sypytkowski
 
PPTX
GraphQL Fundamentals
byMohammadreza osfoori
 
PPTX
An intro to GraphQL
byvaluebound
 
PPTX
Green Custard Friday Talk 8: GraphQL
byGreen Custard
 
PPTX
Introduction to Graph QL
byDeepak More
 
PDF
Tutorial: Building a GraphQL API in PHP
byAndrew Rota
 
Working and Attacking GraphQL APIs vs Rest API
byMatrix823409
 
APIsecure 2023 - Learn how to attack and mitigate vulnerabilities in GraphQL,...
byapidays
 
GraphQL Bangkok meetup 5.0
byTobias Meixner
 
Avoiding GraphQL insecurities with OWASP SKF - OWASP HU meetup
byDavide Cioccia
 
GraphQL with api development of all details
byPateljeel7
 
GraphQL + relay
byCédric GILLET
 
Introduction to GraphQL (A modern representation of APIs)
byPanchalAditya6
 
Introduction to GraphQL
byRodrigo Prates
 
Introduction to GraphQL Presentation.pptx
byKnoldus Inc.
 
Let's start GraphQL: structure, behavior, and architecture
byAndrii Gakhov
 
GraphQL the holy contract between client and server
byPavel Chertorogov
 
Introduction to Testing GraphQL Presentation
byKnoldus Inc.
 
Testing Graph QL Presentation (Test Automation)
byKnoldus Inc.
 
Graphql
byGirish Talekar
 
GraphQL - an elegant weapon... for more civilized age
byBartosz Sypytkowski
 
GraphQL Fundamentals
byMohammadreza osfoori
 
An intro to GraphQL
byvaluebound
 
Green Custard Friday Talk 8: GraphQL
byGreen Custard
 
Introduction to Graph QL
byDeepak More
 
Tutorial: Building a GraphQL API in PHP
byAndrew Rota
 

Recently uploaded

PDF
Ericsson 6230 Training Module Document.pdf
byMd Bellal Hossain
 
PPTX
Distresses in Road Flexible pavement.pptx
byMahmoodKhalid11
 
PDF
Rajesh Prasad- Brief Profile with educational, professional highlights
byRajesh Prasad
 
PDF
Chris Elwell Woburn - An Experienced IT Executive
byChris Elwell Woburn
 
PDF
Computer Graphics Fundamentals (v0p1) - DannyJiang
byDanny Jiang
 
PPTX
Basic Volume Mass Relationship and unit weight as function of volumetric wate...
byMahmoodKhalid11
 
PDF
AI-Driven Multi-Agent System for QOS Optimization in 6g Industrial Networks
byijcncjournal019
 
PPTX
ISO 13485.2016 Awareness's Training material
byPrakashSivan
 
PDF
BOQ LESSON 1-INTRODUCTION TO BOQs AND PROJECT.pdf
byGabrielTambwe1
 
PPTX
The Most Controversial TPM Debate in Maintenance Today Checklist TPM vs Outco...
byMaintWiz Technologies Private Limited
 
PDF
CME397 SURFACE ENGINEERING UNIT 2 FULL NOTES
bykarthi keyan
 
PDF
Chad Ayach - An Accomplished Mechanical Engineer
byChad Ayach
 
DOCX
yearly Management report for Engineering and maintenance
bylamoushalhaj
 
PDF
BOQ LESSON 2-QUANTITY TAKE-OFF & RATE BUILD-UP.pdf
byGabrielTambwe1
 
PDF
Manual de instalacion de notifire NFS320
byMarcoPolitoPerez
 
PPTX
Week 2.1.pptxdynamics particle kinetics introduction 2
byfmsalih06
 
PPTX
Theory to Practice of Unsaturated Soil Mechanics-1.pptx
byMahmoodKhalid11
 
PPTX
We-Optimized-Everything-Except-Decision-Quality-Maintenance-MaintWiz.pptx
byMaintWiz Technologies Private Limited
 
PPTX
Introduction to AI and Applications Module-4.pptx
byKalaiselviSubramania2
 
PPTX
Optimized access control techniques in Cloud Computing with Security and Scal...
bymareswariesteru
 
Ericsson 6230 Training Module Document.pdf
byMd Bellal Hossain
 
Distresses in Road Flexible pavement.pptx
byMahmoodKhalid11
 
Rajesh Prasad- Brief Profile with educational, professional highlights
byRajesh Prasad
 
Chris Elwell Woburn - An Experienced IT Executive
byChris Elwell Woburn
 
Computer Graphics Fundamentals (v0p1) - DannyJiang
byDanny Jiang
 
Basic Volume Mass Relationship and unit weight as function of volumetric wate...
byMahmoodKhalid11
 
AI-Driven Multi-Agent System for QOS Optimization in 6g Industrial Networks
byijcncjournal019
 
ISO 13485.2016 Awareness's Training material
byPrakashSivan
 
BOQ LESSON 1-INTRODUCTION TO BOQs AND PROJECT.pdf
byGabrielTambwe1
 
The Most Controversial TPM Debate in Maintenance Today Checklist TPM vs Outco...
byMaintWiz Technologies Private Limited
 
CME397 SURFACE ENGINEERING UNIT 2 FULL NOTES
bykarthi keyan
 
Chad Ayach - An Accomplished Mechanical Engineer
byChad Ayach
 
yearly Management report for Engineering and maintenance
bylamoushalhaj
 
BOQ LESSON 2-QUANTITY TAKE-OFF & RATE BUILD-UP.pdf
byGabrielTambwe1
 
Manual de instalacion de notifire NFS320
byMarcoPolitoPerez
 
Week 2.1.pptxdynamics particle kinetics introduction 2
byfmsalih06
 
Theory to Practice of Unsaturated Soil Mechanics-1.pptx
byMahmoodKhalid11
 
We-Optimized-Everything-Except-Decision-Quality-Maintenance-MaintWiz.pptx
byMaintWiz Technologies Private Limited
 
Introduction to AI and Applications Module-4.pptx
byKalaiselviSubramania2
 
Optimized access control techniques in Cloud Computing with Security and Scal...
bymareswariesteru
 

Attacking GraphQL

  • 1.
  • 2.
    What to Expect ●What is GraphQL ● How GraphQL differs from Rest API ● How does GraphQL works ● GraphQL Terminologies ● Introspection ● Why Introspection can be dangerous ● Tools ● Common vulnerabilities & how to exploit them
  • 3.
    What is GraphQL? GraphQLis query language used by APIs to access data from the database through a single endpoint and it make this possible by using a defined schema which specifies exactly what we want to access.
  • 4.
    How GraphQL differsfrom Rest API ? ❖ Rest API ● It fetches all data, whether required or not ( “over-fetching”). ● It makes multiple network requests to get multiple resources. ❖ GraphQL ● GraphQL allows multiple resource requests in a single query call ● Saves time and bandwidth ● Increased complexity == more error
  • 5.
  • 6.
    Where to findendpoints? GraphQL usually located at specific endpoints ● /graphql ● /qql ● /graphiql ● /graphql/console ● /graph ● /graphql.php Also, look for request and response referencing for queries and mutations
  • 7.
    GraphQL Terminologies ● Query: To fetch the data ● Mutations: To modify the data ● Fields: It’s specify that exactly what data we want to receive. ● Node : Object containing the data ● Edge : Connect two nodes
  • 8.
  • 9.
  • 10.
    Introspection GraphQL server supportsintrospection over its schema using the same GraphQL query language. A server exposes the following introspection queries on the Query operation type. ● __schema : Which enable us to fetch whole schema ● __type : What types schema has ● __queryType : What are the operation available in the schema
  • 11.
  • 13.
  • 14.
    Using Introspection forevil purpose ● Get all Queries ● Get all mutations ● Look for error message/ stack trace ● Look for sensitive informations
  • 15.
    Enumeration using errormessage It reveals actual value
  • 16.
    Tools ● InQL burpextension ● GraphQL IDE ● Altair Graphql IDE ● GraphQL map ● graphql-path-enum
  • 17.
  • 18.
    Vulnerabilities worth lookingfor !! ● Information Disclosure ● IDOR ● Injections ● Denial of Service ● Authorization Bypass ● Business Logic
  • 19.
    Injection :: StoredCross Site Scripting
  • 22.
    Authorization Bypass ::GraphQL Interface Protection Bypass
  • 24.
    Code Execution ::OS Command Injection
  • 26.

Editor's Notes

  • #12 How do we know what api functionalioty exist and we can do by sending introspection query
  • #15 https://the-bilal-rizwan.medium.com/graphql-common-vulnerabilities-how-to-exploit-them-464f9fdce696