SlideShare a Scribd company logo

Don't Panic: A Developer's Guide to Building Secure GraphQL APIs

M
Meenakshi Dhanani

This session will cover the dos and don'ts of designing secure GraphQL APIs by highlighting case studies and the OWASP risks connected with them. The goal is to give you the tools you need to be proactive and plan for threats earlier in the API lifecycle. In addition, you'll also learn about the challenges and security risks that GraphQL APIs face when compared to other popular API specifications and standards.

Software
1 of 21
Download to read offline
All rights reserved by Postman Inc Don’t Panic: A Developer’s Guide to Building Secure GraphQL APIs Meenakshi Dhanani Developer Relations Engineer, GraphQL
You can’t beat me at getting lost Meenakshi Dhanani (aka Meena) 󰏝 @mdhananii Likes: - Yoga, strength training 󰙥 - Spanish 󰎼 “ @getpostman @mdhananii
GraphQL is just an API PANIC @getpostman @mdhananii
@getpostman @mdhananii
@getpostman @mdhananii
@getpostman @mdhananii
@getpostman @mdhananii
“ NATIONAL VULNERABILITY DATABASE includes databases of security checklist references, security-related software flaws, misconfigurations, product names, and impact metrics. “Contrarily to simple REST APIs, GraphQL is a language. Attackers have a broad attack surface to craft malformed queries and exploit the GraphQL Engine.” Tristan Kalos, Co-founder and CEO, Escape @getpostman @mdhananii
@getpostman @mdhananii
@getpostman @mdhananii Fork the workspace : https://www.postman.com/devrel/workspace/graphql-security-101/overview
Common Attack Surfaces BEWARE Fork the workspace : https://www.postman.com/devrel/workspace/graphql-security-101/overview @getpostman @mdhananii
Authentication A common error that leads to the compromise of GraphQL APIs is the absence of authentication. Choosing which layer to perform the authentication at is a crucial decision. Access Control @getpostman @mdhananii Context is an object that is shared by all the resolvers of a specific execution. It is useful for storing data such as authentication information, the current user
Authorization Certain fields/types are exposed to users having different roles if there aren’t checks in place. Access Control @getpostman @mdhananii Define the business logic for the resolvers in the middleware. Default deny, maintaining allowlist is safer
Nested Recursive Querying GraphQL types can reference each other. A large nested query can use recursion to build a circular query that brings down the server. Denial of Service @getpostman @mdhananii Max depth checks can prevent these attacks. Fork the workspace : https://www.postman.com/devrel/workspace/graphql-security-101/overview
Batch Attack GraphQL queries support batching, because they are executed one after the other to save network resources. These can be a good candidate for Denial of Service attacks for certain resource intensive queries. Denial of Service @getpostman @mdhananii Disable batching. Protect your system by having rate limiting in place for queries that are resource intensive. Query cost analysis is one such approach for rate limiting. Fork the workspace : https://www.postman.com/devrel/workspace/graphql-security-101/overview
Aliased Queries Even if batching is disabled, operations can have aliases and be allowed to repeatedly run and bring the system down. Denial of Service @getpostman @mdhananii Keep an allowlist of approved queries you use in your own application and instruct the server not to let any other queries pass except those on the list Fork the workspace : https://www.postman.com/devrel/workspace/graphql-security-101/overview
● GraphQL Introspection You can use the _schema query to learn about all the fields and types in a schema, this could expose certain sensitive fields, and the queries and mutations that exist to attackers. Disable introspection in production to avoid these attacks. Information Disclosure @getpostman @mdhananii ● Error Suggestions If you query a schema with a typo in the field name, GraphQL error message suggests the name of field closely matching the name you enter, this could leak sensitive data.
@getpostman @mdhananii Fork the workspace : https://www.postman.com/devrel/workspace/graphql-security-101/overview GraphQL Security 101
It takes 20 years to build a reputation and few minutes of cyber-incident to ruin it. Stéphane Nappo Global Chief Information Security Officer DON’T PANIC @getpostman @mdhananii “
GraphQL Vulnerabilities https://blog.escape.tech/tag/graphql-vulnerability/ Damn Vulnerable GraphQL Application https://github.com/dolevf/Damn-Vulnerable-GraphQL-Application Introduction to GraphQL security | Christina Hastenrath https://youtu.be/aI-wI14D1nw GraphQL Security Public Workspace https://www.postman.com/devrel/workspace/graphql-security-101/overview Additional Resources @getpostman @mdhananii
Thank You @getpostman @mdhananii

Recommended

Not Your Grandma’s Rate Limiting (slides)
Not Your Grandma’s Rate Limiting (slides)Not Your Grandma’s Rate Limiting (slides)
Not Your Grandma’s Rate Limiting (slides)Postman
 
Apidays Paris 2023 - Not Your Grandma’s Rate Limiting, Meenakshi Dhanani, Pos...
Apidays Paris 2023 - Not Your Grandma’s Rate Limiting, Meenakshi Dhanani, Pos...Apidays Paris 2023 - Not Your Grandma’s Rate Limiting, Meenakshi Dhanani, Pos...
Apidays Paris 2023 - Not Your Grandma’s Rate Limiting, Meenakshi Dhanani, Pos...apidays
 
Introduction to Chaos Engineering with Microsoft Azure
Introduction to Chaos Engineering with Microsoft AzureIntroduction to Chaos Engineering with Microsoft Azure
Introduction to Chaos Engineering with Microsoft AzureAna Medina
 
Hackazon realistic e-commerce Hack platform
Hackazon realistic e-commerce Hack platformHackazon realistic e-commerce Hack platform
Hackazon realistic e-commerce Hack platformIhor Uzhvenko
 
Addressing Web Application Security Vulnerabilities.pdf
Addressing Web Application Security Vulnerabilities.pdfAddressing Web Application Security Vulnerabilities.pdf
Addressing Web Application Security Vulnerabilities.pdfCecilSu
 
Your data is in Prometheus, now what? (CurrencyFair Engineering Meetup, 2016)
Your data is in Prometheus, now what? (CurrencyFair Engineering Meetup, 2016)Your data is in Prometheus, now what? (CurrencyFair Engineering Meetup, 2016)
Your data is in Prometheus, now what? (CurrencyFair Engineering Meetup, 2016)Brian Brazil
 
Micro frontend: The microservices puzzle extended to frontend
Micro frontend: The microservices puzzle extended to frontendMicro frontend: The microservices puzzle extended to frontend
Micro frontend: The microservices puzzle extended to frontendAudrey Neveu
 
Best practices with Microsoft Graph: Making your applications more performant...
Best practices with Microsoft Graph: Making your applications more performant...Best practices with Microsoft Graph: Making your applications more performant...
Best practices with Microsoft Graph: Making your applications more performant...Microsoft Tech Community
 

Recommended

Not Your Grandma’s Rate Limiting (slides)
Not Your Grandma’s Rate Limiting (slides)Not Your Grandma’s Rate Limiting (slides)
Not Your Grandma’s Rate Limiting (slides)Postman
 
Apidays Paris 2023 - Not Your Grandma’s Rate Limiting, Meenakshi Dhanani, Pos...
Apidays Paris 2023 - Not Your Grandma’s Rate Limiting, Meenakshi Dhanani, Pos...Apidays Paris 2023 - Not Your Grandma’s Rate Limiting, Meenakshi Dhanani, Pos...
Apidays Paris 2023 - Not Your Grandma’s Rate Limiting, Meenakshi Dhanani, Pos...apidays
 
Introduction to Chaos Engineering with Microsoft Azure
Introduction to Chaos Engineering with Microsoft AzureIntroduction to Chaos Engineering with Microsoft Azure
Introduction to Chaos Engineering with Microsoft AzureAna Medina
 
Hackazon realistic e-commerce Hack platform
Hackazon realistic e-commerce Hack platformHackazon realistic e-commerce Hack platform
Hackazon realistic e-commerce Hack platformIhor Uzhvenko
 
Addressing Web Application Security Vulnerabilities.pdf
Addressing Web Application Security Vulnerabilities.pdfAddressing Web Application Security Vulnerabilities.pdf
Addressing Web Application Security Vulnerabilities.pdfCecilSu
 
Your data is in Prometheus, now what? (CurrencyFair Engineering Meetup, 2016)
Your data is in Prometheus, now what? (CurrencyFair Engineering Meetup, 2016)Your data is in Prometheus, now what? (CurrencyFair Engineering Meetup, 2016)
Your data is in Prometheus, now what? (CurrencyFair Engineering Meetup, 2016)Brian Brazil
 
Micro frontend: The microservices puzzle extended to frontend
Micro frontend: The microservices puzzle extended to frontendMicro frontend: The microservices puzzle extended to frontend
Micro frontend: The microservices puzzle extended to frontendAudrey Neveu
 
Best practices with Microsoft Graph: Making your applications more performant...
Best practices with Microsoft Graph: Making your applications more performant...Best practices with Microsoft Graph: Making your applications more performant...
Best practices with Microsoft Graph: Making your applications more performant...Microsoft Tech Community
 
BA Resume
BA ResumeBA Resume
BA Resumemba_ezhil
 
Oracle RAC 12c Rel. 2 for Continuous Availability
Oracle RAC 12c Rel. 2 for Continuous AvailabilityOracle RAC 12c Rel. 2 for Continuous Availability
Oracle RAC 12c Rel. 2 for Continuous AvailabilityMarkus Michalewicz
 
PHP Security
PHP SecurityPHP Security
PHP SecurityMindfire Solutions
 
Business Applications Integration In The Cloud
Business Applications Integration In The CloudBusiness Applications Integration In The Cloud
Business Applications Integration In The CloudAnna Brzezińska
 
Innovating Faster with Continuous Application Security
Innovating Faster with Continuous Application Security Innovating Faster with Continuous Application Security
Innovating Faster with Continuous Application Security Jeff Williams
 
Application Performance: 6 Steps to Enhance Performance of Critical Systems
Application Performance: 6 Steps to Enhance Performance of Critical SystemsApplication Performance: 6 Steps to Enhance Performance of Critical Systems
Application Performance: 6 Steps to Enhance Performance of Critical SystemsCAST
 
The Practice of Chaos Engineering - Reactive Summit 2018 - Montreal, QC
The Practice of Chaos Engineering - Reactive Summit 2018 - Montreal, QCThe Practice of Chaos Engineering - Reactive Summit 2018 - Montreal, QC
The Practice of Chaos Engineering - Reactive Summit 2018 - Montreal, QCAna Medina
 
Abeeha_Profile
Abeeha_ProfileAbeeha_Profile
Abeeha_ProfileAbeeha Sheikh
 
System design for Web Application
System design for Web ApplicationSystem design for Web Application
System design for Web ApplicationMichael Choi
 
Security For Application Development
Security For Application DevelopmentSecurity For Application Development
Security For Application Development6502programmer
 
AppSec Threat Modeling with 5 Agile Design Diagrams Every Project Should Have
AppSec Threat Modeling with 5 Agile Design Diagrams Every Project Should HaveAppSec Threat Modeling with 5 Agile Design Diagrams Every Project Should Have
AppSec Threat Modeling with 5 Agile Design Diagrams Every Project Should HaveRobert Grupe, CSSLP CISSP PE PMP
 
Prometheus - Open Source Forum Japan
Prometheus - Open Source Forum JapanPrometheus - Open Source Forum Japan
Prometheus - Open Source Forum JapanBrian Brazil
 
Pillars of great Azure Architecture
Pillars of great Azure ArchitecturePillars of great Azure Architecture
Pillars of great Azure ArchitectureKarthikeyan VK
 
MySQL
MySQLMySQL
MySQLPT.JUG
 
Demystify Information Security & Threats for Data-Driven Platforms With Cheta...
Demystify Information Security & Threats for Data-Driven Platforms With Cheta...Demystify Information Security & Threats for Data-Driven Platforms With Cheta...
Demystify Information Security & Threats for Data-Driven Platforms With Cheta...Chetan Khatri
 
Pentest Application With GraphQL | Null Bangalore Meetup
Pentest Application With GraphQL | Null Bangalore Meetup Pentest Application With GraphQL | Null Bangalore Meetup
Pentest Application With GraphQL | Null Bangalore Meetup Divyanshu
 
Appreciative Advanced Blind SQLI Attack
Appreciative Advanced Blind SQLI AttackAppreciative Advanced Blind SQLI Attack
Appreciative Advanced Blind SQLI Attackijtsrd
 
apidays LIVE Paris - GraphQL meshes by Jens Neuse
apidays LIVE Paris - GraphQL meshes by Jens Neuseapidays LIVE Paris - GraphQL meshes by Jens Neuse
apidays LIVE Paris - GraphQL meshes by Jens Neuseapidays
 
MySQL Tech Tour Nov, 2013
MySQL Tech Tour Nov, 2013MySQL Tech Tour Nov, 2013
MySQL Tech Tour Nov, 2013Mysql Latinoamérica
 
[AWS Innovate 온라인 컨퍼런스] 간단한 Python 코드만으로 높은 성능의 기계 학습 모델 만들기 - 김무현, AWS Sr.데이...
[AWS Innovate 온라인 컨퍼런스] 간단한 Python 코드만으로 높은 성능의 기계 학습 모델 만들기 - 김무현, AWS Sr.데이...[AWS Innovate 온라인 컨퍼런스] 간단한 Python 코드만으로 높은 성능의 기계 학습 모델 만들기 - 김무현, AWS Sr.데이...
[AWS Innovate 온라인 컨퍼런스] 간단한 Python 코드만으로 높은 성능의 기계 학습 모델 만들기 - 김무현, AWS Sr.데이...Amazon Web Services Korea
 
Accelerate Enterprise Software Engineering with Platformless
Accelerate Enterprise Software Engineering with PlatformlessAccelerate Enterprise Software Engineering with Platformless
Accelerate Enterprise Software Engineering with PlatformlessWSO2
 
Crafting the Perfect Measurement Sheet with PLM Integration
Crafting the Perfect Measurement Sheet with PLM IntegrationCrafting the Perfect Measurement Sheet with PLM Integration
Crafting the Perfect Measurement Sheet with PLM IntegrationWave PLM
 

More Related Content

Similar to Don't Panic: A Developer's Guide to Building Secure GraphQL APIs

Oracle RAC 12c Rel. 2 for Continuous Availability
Oracle RAC 12c Rel. 2 for Continuous AvailabilityOracle RAC 12c Rel. 2 for Continuous Availability
Oracle RAC 12c Rel. 2 for Continuous AvailabilityMarkus Michalewicz
 
Business Applications Integration In The Cloud
Business Applications Integration In The CloudBusiness Applications Integration In The Cloud
Business Applications Integration In The CloudAnna Brzezińska
 
Innovating Faster with Continuous Application Security
Innovating Faster with Continuous Application Security Innovating Faster with Continuous Application Security
Innovating Faster with Continuous Application Security Jeff Williams
 
Application Performance: 6 Steps to Enhance Performance of Critical Systems
Application Performance: 6 Steps to Enhance Performance of Critical SystemsApplication Performance: 6 Steps to Enhance Performance of Critical Systems
Application Performance: 6 Steps to Enhance Performance of Critical SystemsCAST
 
The Practice of Chaos Engineering - Reactive Summit 2018 - Montreal, QC
The Practice of Chaos Engineering - Reactive Summit 2018 - Montreal, QCThe Practice of Chaos Engineering - Reactive Summit 2018 - Montreal, QC
The Practice of Chaos Engineering - Reactive Summit 2018 - Montreal, QCAna Medina
 
System design for Web Application
System design for Web ApplicationSystem design for Web Application
System design for Web ApplicationMichael Choi
 
Security For Application Development
Security For Application DevelopmentSecurity For Application Development
Security For Application Development6502programmer
 
AppSec Threat Modeling with 5 Agile Design Diagrams Every Project Should Have
AppSec Threat Modeling with 5 Agile Design Diagrams Every Project Should HaveAppSec Threat Modeling with 5 Agile Design Diagrams Every Project Should Have
AppSec Threat Modeling with 5 Agile Design Diagrams Every Project Should HaveRobert Grupe, CSSLP CISSP PE PMP
 
Prometheus - Open Source Forum Japan
Prometheus - Open Source Forum JapanPrometheus - Open Source Forum Japan
Prometheus - Open Source Forum JapanBrian Brazil
 
Pillars of great Azure Architecture
Pillars of great Azure ArchitecturePillars of great Azure Architecture
Pillars of great Azure ArchitectureKarthikeyan VK
 
Demystify Information Security & Threats for Data-Driven Platforms With Cheta...
Demystify Information Security & Threats for Data-Driven Platforms With Cheta...Demystify Information Security & Threats for Data-Driven Platforms With Cheta...
Demystify Information Security & Threats for Data-Driven Platforms With Cheta...Chetan Khatri
 
Pentest Application With GraphQL | Null Bangalore Meetup
Pentest Application With GraphQL | Null Bangalore Meetup Pentest Application With GraphQL | Null Bangalore Meetup
Pentest Application With GraphQL | Null Bangalore Meetup Divyanshu
 
Appreciative Advanced Blind SQLI Attack
Appreciative Advanced Blind SQLI AttackAppreciative Advanced Blind SQLI Attack
Appreciative Advanced Blind SQLI Attackijtsrd
 
apidays LIVE Paris - GraphQL meshes by Jens Neuse
apidays LIVE Paris - GraphQL meshes by Jens Neuseapidays LIVE Paris - GraphQL meshes by Jens Neuse
apidays LIVE Paris - GraphQL meshes by Jens Neuseapidays
 
[AWS Innovate 온라인 컨퍼런스] 간단한 Python 코드만으로 높은 성능의 기계 학습 모델 만들기 - 김무현, AWS Sr.데이...
[AWS Innovate 온라인 컨퍼런스] 간단한 Python 코드만으로 높은 성능의 기계 학습 모델 만들기 - 김무현, AWS Sr.데이...[AWS Innovate 온라인 컨퍼런스] 간단한 Python 코드만으로 높은 성능의 기계 학습 모델 만들기 - 김무현, AWS Sr.데이...
[AWS Innovate 온라인 컨퍼런스] 간단한 Python 코드만으로 높은 성능의 기계 학습 모델 만들기 - 김무현, AWS Sr.데이...Amazon Web Services Korea
 

Similar to Don't Panic: A Developer's Guide to Building Secure GraphQL APIs (20)

BA Resume
BA ResumeBA Resume
BA Resume
 
Oracle RAC 12c Rel. 2 for Continuous Availability
Oracle RAC 12c Rel. 2 for Continuous AvailabilityOracle RAC 12c Rel. 2 for Continuous Availability
Oracle RAC 12c Rel. 2 for Continuous Availability
 
PHP Security
PHP SecurityPHP Security
PHP Security
 
Business Applications Integration In The Cloud
Business Applications Integration In The CloudBusiness Applications Integration In The Cloud
Business Applications Integration In The Cloud
 
Innovating Faster with Continuous Application Security
Innovating Faster with Continuous Application Security Innovating Faster with Continuous Application Security
Innovating Faster with Continuous Application Security
 
Application Performance: 6 Steps to Enhance Performance of Critical Systems
Application Performance: 6 Steps to Enhance Performance of Critical SystemsApplication Performance: 6 Steps to Enhance Performance of Critical Systems
Application Performance: 6 Steps to Enhance Performance of Critical Systems
 
The Practice of Chaos Engineering - Reactive Summit 2018 - Montreal, QC
The Practice of Chaos Engineering - Reactive Summit 2018 - Montreal, QCThe Practice of Chaos Engineering - Reactive Summit 2018 - Montreal, QC
The Practice of Chaos Engineering - Reactive Summit 2018 - Montreal, QC
 
Abeeha_Profile
Abeeha_ProfileAbeeha_Profile
Abeeha_Profile
 
System design for Web Application
System design for Web ApplicationSystem design for Web Application
System design for Web Application
 
Security For Application Development
Security For Application DevelopmentSecurity For Application Development
Security For Application Development
 
AppSec Threat Modeling with 5 Agile Design Diagrams Every Project Should Have
AppSec Threat Modeling with 5 Agile Design Diagrams Every Project Should HaveAppSec Threat Modeling with 5 Agile Design Diagrams Every Project Should Have
AppSec Threat Modeling with 5 Agile Design Diagrams Every Project Should Have
 
Prometheus - Open Source Forum Japan
Prometheus - Open Source Forum JapanPrometheus - Open Source Forum Japan
Prometheus - Open Source Forum Japan
 
Pillars of great Azure Architecture
Pillars of great Azure ArchitecturePillars of great Azure Architecture
Pillars of great Azure Architecture
 
MySQL
MySQLMySQL
MySQL
 
Demystify Information Security & Threats for Data-Driven Platforms With Cheta...
Demystify Information Security & Threats for Data-Driven Platforms With Cheta...Demystify Information Security & Threats for Data-Driven Platforms With Cheta...
Demystify Information Security & Threats for Data-Driven Platforms With Cheta...
 
Pentest Application With GraphQL | Null Bangalore Meetup
Pentest Application With GraphQL | Null Bangalore Meetup Pentest Application With GraphQL | Null Bangalore Meetup
Pentest Application With GraphQL | Null Bangalore Meetup
 
Appreciative Advanced Blind SQLI Attack
Appreciative Advanced Blind SQLI AttackAppreciative Advanced Blind SQLI Attack
Appreciative Advanced Blind SQLI Attack
 
apidays LIVE Paris - GraphQL meshes by Jens Neuse
apidays LIVE Paris - GraphQL meshes by Jens Neuseapidays LIVE Paris - GraphQL meshes by Jens Neuse
apidays LIVE Paris - GraphQL meshes by Jens Neuse
 
MySQL Tech Tour Nov, 2013
MySQL Tech Tour Nov, 2013MySQL Tech Tour Nov, 2013
MySQL Tech Tour Nov, 2013
 
[AWS Innovate 온라인 컨퍼런스] 간단한 Python 코드만으로 높은 성능의 기계 학습 모델 만들기 - 김무현, AWS Sr.데이...
[AWS Innovate 온라인 컨퍼런스] 간단한 Python 코드만으로 높은 성능의 기계 학습 모델 만들기 - 김무현, AWS Sr.데이...[AWS Innovate 온라인 컨퍼런스] 간단한 Python 코드만으로 높은 성능의 기계 학습 모델 만들기 - 김무현, AWS Sr.데이...
[AWS Innovate 온라인 컨퍼런스] 간단한 Python 코드만으로 높은 성능의 기계 학습 모델 만들기 - 김무현, AWS Sr.데이...
 

Recently uploaded

Accelerate Enterprise Software Engineering with Platformless
Accelerate Enterprise Software Engineering with PlatformlessAccelerate Enterprise Software Engineering with Platformless
Accelerate Enterprise Software Engineering with PlatformlessWSO2
 
Crafting the Perfect Measurement Sheet with PLM Integration
Crafting the Perfect Measurement Sheet with PLM IntegrationCrafting the Perfect Measurement Sheet with PLM Integration
Crafting the Perfect Measurement Sheet with PLM IntegrationWave PLM
 
Breaking the Code : A Guide to WhatsApp Business API.pdf
Breaking the Code : A Guide to WhatsApp Business API.pdfBreaking the Code : A Guide to WhatsApp Business API.pdf
Breaking the Code : A Guide to WhatsApp Business API.pdfMeon Technology
 
Beyond Event Sourcing - Embracing CRUD for Wix Platform - Java.IL
Beyond Event Sourcing - Embracing CRUD for Wix Platform - Java.ILBeyond Event Sourcing - Embracing CRUD for Wix Platform - Java.IL
Beyond Event Sourcing - Embracing CRUD for Wix Platform - Java.ILNatan Silnitsky
 
A Comprehensive Appium Guide for Hybrid App Automation Testing.pdf
A Comprehensive Appium Guide for Hybrid App Automation Testing.pdfA Comprehensive Appium Guide for Hybrid App Automation Testing.pdf
A Comprehensive Appium Guide for Hybrid App Automation Testing.pdfkalichargn70th171
 
Cyaniclab : Software Development Agency Portfolio.pdf
Cyaniclab : Software Development Agency Portfolio.pdfCyaniclab : Software Development Agency Portfolio.pdf
Cyaniclab : Software Development Agency Portfolio.pdfCyanic lab
 
De mooiste recreatieve routes ontdekken met RouteYou en FME
De mooiste recreatieve routes ontdekken met RouteYou en FMEDe mooiste recreatieve routes ontdekken met RouteYou en FME
De mooiste recreatieve routes ontdekken met RouteYou en FMEJelle | Nordend
 
Abortion ^Clinic ^%[+971588192166''] Abortion Pill Al Ain (?@?) Abortion Pill...
Abortion ^Clinic ^%[+971588192166''] Abortion Pill Al Ain (?@?) Abortion Pill...Abortion ^Clinic ^%[+971588192166''] Abortion Pill Al Ain (?@?) Abortion Pill...
Abortion ^Clinic ^%[+971588192166''] Abortion Pill Al Ain (?@?) Abortion Pill...Abortion Clinic
 
iGaming Platform & Lottery Solutions by Skilrock
iGaming Platform & Lottery Solutions by SkilrockiGaming Platform & Lottery Solutions by Skilrock
iGaming Platform & Lottery Solutions by SkilrockSkilrock Technologies
 
Using IESVE for Room Loads Analysis - Australia & New Zealand
Using IESVE for Room Loads Analysis - Australia & New ZealandUsing IESVE for Room Loads Analysis - Australia & New Zealand
Using IESVE for Room Loads Analysis - Australia & New ZealandIES VE
 
AI/ML Infra Meetup | ML explainability in Michelangelo
AI/ML Infra Meetup | ML explainability in MichelangeloAI/ML Infra Meetup | ML explainability in Michelangelo
AI/ML Infra Meetup | ML explainability in MichelangeloAlluxio, Inc.
 
SOCRadar Research Team: Latest Activities of IntelBroker
SOCRadar Research Team: Latest Activities of IntelBrokerSOCRadar Research Team: Latest Activities of IntelBroker
SOCRadar Research Team: Latest Activities of IntelBrokerSOCRadar
 
Advanced Flow Concepts Every Developer Should Know
Advanced Flow Concepts Every Developer Should KnowAdvanced Flow Concepts Every Developer Should Know
Advanced Flow Concepts Every Developer Should KnowPeter Caitens
 
A Python-based approach to data loading in TM1 - Using Airflow as an ETL for TM1
A Python-based approach to data loading in TM1 - Using Airflow as an ETL for TM1A Python-based approach to data loading in TM1 - Using Airflow as an ETL for TM1
A Python-based approach to data loading in TM1 - Using Airflow as an ETL for TM1KnowledgeSeed
 
Designing for Privacy in Amazon Web Services
Designing for Privacy in Amazon Web ServicesDesigning for Privacy in Amazon Web Services
Designing for Privacy in Amazon Web ServicesKrzysztofKkol1
 
Into the Box 2024 - Keynote Day 2 Slides.pdf
Into the Box 2024 - Keynote Day 2 Slides.pdfInto the Box 2024 - Keynote Day 2 Slides.pdf
Into the Box 2024 - Keynote Day 2 Slides.pdfOrtus Solutions, Corp
 
WSO2Con2024 - WSO2's IAM Vision: Identity-Led Digital Transformation
WSO2Con2024 - WSO2's IAM Vision: Identity-Led Digital TransformationWSO2Con2024 - WSO2's IAM Vision: Identity-Led Digital Transformation
WSO2Con2024 - WSO2's IAM Vision: Identity-Led Digital TransformationWSO2
 
Vitthal Shirke Microservices Resume Montevideo
Vitthal Shirke Microservices Resume MontevideoVitthal Shirke Microservices Resume Montevideo
Vitthal Shirke Microservices Resume MontevideoVitthal Shirke
 
Field Employee Tracking System| MiTrack App| Best Employee Tracking Solution|...
Field Employee Tracking System| MiTrack App| Best Employee Tracking Solution|...Field Employee Tracking System| MiTrack App| Best Employee Tracking Solution|...
Field Employee Tracking System| MiTrack App| Best Employee Tracking Solution|...informapgpstrackings
 

Recently uploaded (20)

Accelerate Enterprise Software Engineering with Platformless
Accelerate Enterprise Software Engineering with PlatformlessAccelerate Enterprise Software Engineering with Platformless
Accelerate Enterprise Software Engineering with Platformless
 
Crafting the Perfect Measurement Sheet with PLM Integration
Crafting the Perfect Measurement Sheet with PLM IntegrationCrafting the Perfect Measurement Sheet with PLM Integration
Crafting the Perfect Measurement Sheet with PLM Integration
 
Breaking the Code : A Guide to WhatsApp Business API.pdf
Breaking the Code : A Guide to WhatsApp Business API.pdfBreaking the Code : A Guide to WhatsApp Business API.pdf
Breaking the Code : A Guide to WhatsApp Business API.pdf
 
Beyond Event Sourcing - Embracing CRUD for Wix Platform - Java.IL
Beyond Event Sourcing - Embracing CRUD for Wix Platform - Java.ILBeyond Event Sourcing - Embracing CRUD for Wix Platform - Java.IL
Beyond Event Sourcing - Embracing CRUD for Wix Platform - Java.IL
 
A Comprehensive Appium Guide for Hybrid App Automation Testing.pdf
A Comprehensive Appium Guide for Hybrid App Automation Testing.pdfA Comprehensive Appium Guide for Hybrid App Automation Testing.pdf
A Comprehensive Appium Guide for Hybrid App Automation Testing.pdf
 
Cyaniclab : Software Development Agency Portfolio.pdf
Cyaniclab : Software Development Agency Portfolio.pdfCyaniclab : Software Development Agency Portfolio.pdf
Cyaniclab : Software Development Agency Portfolio.pdf
 
De mooiste recreatieve routes ontdekken met RouteYou en FME
De mooiste recreatieve routes ontdekken met RouteYou en FMEDe mooiste recreatieve routes ontdekken met RouteYou en FME
De mooiste recreatieve routes ontdekken met RouteYou en FME
 
Abortion ^Clinic ^%[+971588192166''] Abortion Pill Al Ain (?@?) Abortion Pill...
Abortion ^Clinic ^%[+971588192166''] Abortion Pill Al Ain (?@?) Abortion Pill...Abortion ^Clinic ^%[+971588192166''] Abortion Pill Al Ain (?@?) Abortion Pill...
Abortion ^Clinic ^%[+971588192166''] Abortion Pill Al Ain (?@?) Abortion Pill...
 
Top Mobile App Development Companies 2024
Top Mobile App Development Companies 2024Top Mobile App Development Companies 2024
Top Mobile App Development Companies 2024
 
iGaming Platform & Lottery Solutions by Skilrock
iGaming Platform & Lottery Solutions by SkilrockiGaming Platform & Lottery Solutions by Skilrock
iGaming Platform & Lottery Solutions by Skilrock
 
Using IESVE for Room Loads Analysis - Australia & New Zealand
Using IESVE for Room Loads Analysis - Australia & New ZealandUsing IESVE for Room Loads Analysis - Australia & New Zealand
Using IESVE for Room Loads Analysis - Australia & New Zealand
 
AI/ML Infra Meetup | ML explainability in Michelangelo
AI/ML Infra Meetup | ML explainability in MichelangeloAI/ML Infra Meetup | ML explainability in Michelangelo
AI/ML Infra Meetup | ML explainability in Michelangelo
 
SOCRadar Research Team: Latest Activities of IntelBroker
SOCRadar Research Team: Latest Activities of IntelBrokerSOCRadar Research Team: Latest Activities of IntelBroker
SOCRadar Research Team: Latest Activities of IntelBroker
 
Advanced Flow Concepts Every Developer Should Know
Advanced Flow Concepts Every Developer Should KnowAdvanced Flow Concepts Every Developer Should Know
Advanced Flow Concepts Every Developer Should Know
 
A Python-based approach to data loading in TM1 - Using Airflow as an ETL for TM1
A Python-based approach to data loading in TM1 - Using Airflow as an ETL for TM1A Python-based approach to data loading in TM1 - Using Airflow as an ETL for TM1
A Python-based approach to data loading in TM1 - Using Airflow as an ETL for TM1
 
Designing for Privacy in Amazon Web Services
Designing for Privacy in Amazon Web ServicesDesigning for Privacy in Amazon Web Services
Designing for Privacy in Amazon Web Services
 
Into the Box 2024 - Keynote Day 2 Slides.pdf
Into the Box 2024 - Keynote Day 2 Slides.pdfInto the Box 2024 - Keynote Day 2 Slides.pdf
Into the Box 2024 - Keynote Day 2 Slides.pdf
 
WSO2Con2024 - WSO2's IAM Vision: Identity-Led Digital Transformation
WSO2Con2024 - WSO2's IAM Vision: Identity-Led Digital TransformationWSO2Con2024 - WSO2's IAM Vision: Identity-Led Digital Transformation
WSO2Con2024 - WSO2's IAM Vision: Identity-Led Digital Transformation
 
Vitthal Shirke Microservices Resume Montevideo
Vitthal Shirke Microservices Resume MontevideoVitthal Shirke Microservices Resume Montevideo
Vitthal Shirke Microservices Resume Montevideo
 
Field Employee Tracking System| MiTrack App| Best Employee Tracking Solution|...
Field Employee Tracking System| MiTrack App| Best Employee Tracking Solution|...Field Employee Tracking System| MiTrack App| Best Employee Tracking Solution|...
Field Employee Tracking System| MiTrack App| Best Employee Tracking Solution|...
 

Don't Panic: A Developer's Guide to Building Secure GraphQL APIs

  • 1. All rights reserved by Postman Inc Don’t Panic: A Developer’s Guide to Building Secure GraphQL APIs Meenakshi Dhanani Developer Relations Engineer, GraphQL
  • 2. You can’t beat me at getting lost Meenakshi Dhanani (aka Meena) 󰏝 @mdhananii Likes: - Yoga, strength training 󰙥 - Spanish 󰎼 “ @getpostman @mdhananii
  • 3. GraphQL is just an API PANIC @getpostman @mdhananii
  • 8. “ NATIONAL VULNERABILITY DATABASE includes databases of security checklist references, security-related software flaws, misconfigurations, product names, and impact metrics. “Contrarily to simple REST APIs, GraphQL is a language. Attackers have a broad attack surface to craft malformed queries and exploit the GraphQL Engine.” Tristan Kalos, Co-founder and CEO, Escape @getpostman @mdhananii
  • 10. @getpostman @mdhananii Fork the workspace : https://www.postman.com/devrel/workspace/graphql-security-101/overview
  • 11. Common Attack Surfaces BEWARE Fork the workspace : https://www.postman.com/devrel/workspace/graphql-security-101/overview @getpostman @mdhananii
  • 12. Authentication A common error that leads to the compromise of GraphQL APIs is the absence of authentication. Choosing which layer to perform the authentication at is a crucial decision. Access Control @getpostman @mdhananii Context is an object that is shared by all the resolvers of a specific execution. It is useful for storing data such as authentication information, the current user
  • 13. Authorization Certain fields/types are exposed to users having different roles if there aren’t checks in place. Access Control @getpostman @mdhananii Define the business logic for the resolvers in the middleware. Default deny, maintaining allowlist is safer
  • 14. Nested Recursive Querying GraphQL types can reference each other. A large nested query can use recursion to build a circular query that brings down the server. Denial of Service @getpostman @mdhananii Max depth checks can prevent these attacks. Fork the workspace : https://www.postman.com/devrel/workspace/graphql-security-101/overview
  • 15. Batch Attack GraphQL queries support batching, because they are executed one after the other to save network resources. These can be a good candidate for Denial of Service attacks for certain resource intensive queries. Denial of Service @getpostman @mdhananii Disable batching. Protect your system by having rate limiting in place for queries that are resource intensive. Query cost analysis is one such approach for rate limiting. Fork the workspace : https://www.postman.com/devrel/workspace/graphql-security-101/overview
  • 16. Aliased Queries Even if batching is disabled, operations can have aliases and be allowed to repeatedly run and bring the system down. Denial of Service @getpostman @mdhananii Keep an allowlist of approved queries you use in your own application and instruct the server not to let any other queries pass except those on the list Fork the workspace : https://www.postman.com/devrel/workspace/graphql-security-101/overview
  • 17. ● GraphQL Introspection You can use the _schema query to learn about all the fields and types in a schema, this could expose certain sensitive fields, and the queries and mutations that exist to attackers. Disable introspection in production to avoid these attacks. Information Disclosure @getpostman @mdhananii ● Error Suggestions If you query a schema with a typo in the field name, GraphQL error message suggests the name of field closely matching the name you enter, this could leak sensitive data.
  • 18. @getpostman @mdhananii Fork the workspace : https://www.postman.com/devrel/workspace/graphql-security-101/overview GraphQL Security 101
  • 19. It takes 20 years to build a reputation and few minutes of cyber-incident to ruin it. Stéphane Nappo Global Chief Information Security Officer DON’T PANIC @getpostman @mdhananii “
  • 20. GraphQL Vulnerabilities https://blog.escape.tech/tag/graphql-vulnerability/ Damn Vulnerable GraphQL Application https://github.com/dolevf/Damn-Vulnerable-GraphQL-Application Introduction to GraphQL security | Christina Hastenrath https://youtu.be/aI-wI14D1nw GraphQL Security Public Workspace https://www.postman.com/devrel/workspace/graphql-security-101/overview Additional Resources @getpostman @mdhananii