Hacking GraphQL

Transcript

1. GRAPHQL Hacking Presented by Anugrah SR

2. ANUGRAH S R Cyber Security consultant and Security Researcher Bugbounty

   Hunter Synack Red Team Member Hacked and secured multiple organisations including Apple, Redbull, Sony, Dell, Netflix and many more Twitter: @cyph3r_asr | LinkedIn: anugrah-sr Blog: www.anugrahsr.in Connect with me

3. AGENDA What is GraphQL? Why GraphQL? Reconnaissance / Discovery Hacking

   GraphQL

4. Bug bounty hunter: $$$$ Pentester/ VAPT: Amazing finding to your

   report Developer : Make your app more secure

5. ‌ GraphQL is an open-source data query language and data

   manipulation language for APIs, and a query runtime engine. GraphQL is a query language that was created by Facebook and made public in 2015. It offers an alternative to using REST APIs for data retrieval.‌ ‌

6. ‌ GraphQL was created for more flexible and efficient API

   development. It addresses the limitations and challenges of REST APIs. GraphQL provides greater flexibility compared to REST APIs. REST APIs require multiple round trips to the server to fetch data. GraphQL solves the need for multiple round trips to the server by allowing developers to specify the data they need in a single request. Why GraphQL?

7. REST vs GraphQL

8. Avoid Over- and Underfetching: we only fetch what we need

   from the server by constructing our query to only include what we need. Prevent multiple API calls: In case you need more data, you can also avoid making multiple calls to your API. In the case above, you don't need to make 2 API calls to fetch /order and /product separately. API Versioning: When the need for new features arises, you can easily add additional fields, queries, mutations, etc. to the server without affecting other parts of the application. Additionally, it is easier to remove old features. Self-documenting: Every GraphQL API conforms to a "schema" which is the graph data model and what kinds of queries a client can make. Why GraphQL?

9. Who is using GraphQL?

10. /graphql /graphql/console /graphql.php /graphiql.php /explorer /altair /playground Reconnaissance / Discovery

    https://github.com/danielmiessler/SecLists/blob/master/Discovery/Web-Content/graphql.txt

11. Fuzzing ffuf -w graphql.txt -u https://target/FUZZ Reconnaissance / Discovery Nuclei

    #List of targets nuclei -t graphql-detect.yaml -l target_domains.txt #Single target nuclei -t graphql-detect.yaml -u https://example.com

12. Graphw00f python3 main.py -f -d -t http://localhost:5000 Reconnaissance / Discovery

    https://github.com/dolevf/graphw00f https://github.com/nicholasaleks/graphql-threat-matrix/ GraphQL Threat Matrix Other tools for discovery goctopus graphinder

13. Introspection Query: Special type of query that can be used

    to retrieve the schema for a GraphQL API. This schema defines the types of data that the API can return, available fields for those types and the arguments that can be passed to those fields. Generating documentation for an API Helping to debug an issue with the schema. Where is the API documentation? What all API functions exist? query { __schema { types { name fields { name type { name kind } } } } }

14. GraphQL Voyager Schema visualization https://ivangoncharov.github.io/graphql-voyager/

15. clairvoyance What if Introspection query is disabled ? https://github.com/nikitastupin/clairvoyance Let's

    abuse GraphQL have a feature for fields and operations suggestions.

16. Burp Suite GraphQL Rider inQL Browser Extension Altair Recommended Tools/Extensions

17. GraphQL Operations

18. GraphQL Operations

19. GraphQL is soo good! or is it?

20. Information Disclosure

21. Information Disclosure - High

22. https://hackerone.com/reports/419883

23. https://www.vulnmachines.com http://hackme3.vulnmachines.com:8088/ HANDS-ON TIME

24. Denial of Service (DOS) Resource Intensive Query Attack Batch Query

    Attack Aliases based Attack Field Duplication Attack Deep Recursion Query Attack Unrestricted Resource Consumption

25. Server Side Request Forgery (SSRF) Allows an attacker to induce

    the server-side application to make requests to an unintended location.

26. Broken Object Level Authorization (BOLA) Broken Object Level Authorization, formerly

    Insecure Direct Object Reference (IDOR), remains the most significant risk for APIs, as it did in 2019.

27. Broken Authentication Authentication is “broken” when attackers are able to

    compromise passwords, keys or session tokens, user account information, and other details to assume user identities.

28. Broken Object Property Level Authorization (BOPLA) It is crucial to

    verify that a user has the authorization to access the specific fields of a GraphQL object they are attempting to reach via the API. BOPLA is a new addition that combines the 2019 list’s Excess Data Exposure and Mass Assignment. recentLocation

29. Broken Function Level Authorization (BFLA) BFLA emphasizing the importance of

    proper logging and monitoring. It refers to a permission IDOR, whereby a regular user can perform an administrator-level task. An attacker could exploit a BFLA vulnerability to ban other users, whereas normally only a moderator can.

30. Lack of Protection from Automated Threats Developers should know this

    risk and implement measures to prevent excessive automated access to their business-sensitive API endpoints. Implement rate limiting, user behavior analysis, and CAPTCHAs to protect your API from excessive automated access.

31. Improper Inventory Management Developers should ensure they clearly understand their

    API inventory and maintain thorough documentation. Security by obscurity, a DevSecOps decides to close introspection from the production environment,but they keep it open on the public staging environment Introspection enabled: https://target.com - ❌ https://dev.target.com - ✅ https://staging.target.com - ✅ https://uat.taget.com - ✅

32. Injection Attacks An attacker supplies untrusted input to a program.

    This input gets processed by an interpreter as part of a command or query. In turn, this alters the execution of that program. OS Command Injection

33. Injection Attacks An attacker supplies untrusted input to a program.

    This input gets processed by an interpreter as part of a command or query. In turn, this alters the execution of that program. Stored XSS

34. Injection Attacks An attacker supplies untrusted input to a program.

    This input gets processed by an interpreter as part of a command or query. In turn, this alters the execution of that program. SQL Injection

35. Resources Blogs https://github.com/Escape-Technologies/awesome-graphql-security https://www.acceis.fr/graphql-for-pentesters/ https://anugrahsr.in/graphql-pentesting-for-dummies_part1 https://anugrahsr.in/graphql-pentesting-for-dummies_part2 https://blog.postman.com/owasp-api-security-top-10-2023-and-graphql/ https://anmolksachan.github.io/graphql/ Labs https://github.com/dolevf/Damn-Vulnerable-GraphQL-Application

    https://github.com/InsiderPhD/Generic-University
36. None

37. EHACKIFY-100-OFF EHACKIFY-90-OFF For all exams. - 90% discount. Till Sunday.