Upgrade to Pro — share decks privately, control downloads, hide ads and more …

APIsecure 2023 - Learn how to attack and mitiga...

apidays
PRO
March 21, 2023
Programming
0
77

APIsecure 2023 - Learn how to attack and mitigate vulnerabilities in GraphQL, Parth Shukla (Cequence Security)

APIsecure 2023 - The world's first and only API security conference
March 14 & 15, 2023

Learn how to attack and mitigate vulnerabilities in GraphQL
Parth Shukla, Security Analyst at Cequence Security

------

Check out our conferences at https://www.apidays.global/

Do you want to sponsor or talk at one of our conferences?
https://apidays.typeform.com/to/ILJeAaV8

Learn more on APIscene, the global media made by the community for the community:
https://www.apiscene.io

Explore the API ecosystem with the API Landscape:
https://apilandscape.apiscene.io/

apidays
PRO

March 21, 2023
Tweet

More Decks by apidays

See All by apidays
Apidays London 2024 - Securing APIs, Beyond the Basics with Advanced Security Practices, Karanvir Attwal
apidays
PRO
0
21
Apidays London 2024 - From Fragmentation to Federation by Peter Mörsch, Boomi
apidays
PRO
0
15
Apidays London 2024 - Open Standards for Getting your APIs into the Geospatial Ecosystem by Gobe Hobona
apidays
PRO
0
8
Apidays London 2024 - Harmonizing Asynchronous Systems by Artur Ciocanu, Adobe
apidays
PRO
0
8
Apidays London 2024 - Renovate to Innovate 5 by Rashmi Venugopal, Netflix
apidays
PRO
0
7
Apidays London 2024 - Open Standards, AI and Data for Better Decisions by Ravinder Singh
apidays
PRO
0
17
Apidays London 2024 - The Hidden Power Brokers in the EU Data Act Enforcement by David Vazquez Cortizo, apinity
apidays
PRO
0
10
Apidays London 2024 - The Web Sustainability Guidelines by Alexander Dawson, W3C
apidays
PRO
0
11
Apidays London 2024 - Battle-tested APIs_Tech and Business working together by Jean Burellier, Sanofi
apidays
PRO
0
10

Other Decks in Programming

See All in Programming
카카오페이는 어떻게 수천만 결제를 처리할까? 우아한 결제 분산락 노하우
kakao
PRO
0
110
as(型アサーション)を書く前にできること
marokanatani
10
2.7k
Enabling DevOps and Team Topologies Through Architecture: Architecting for Fast Flow
cer
PRO
0
340
React への依存を最小にするフロントエンド設計
takonda
5
1.1k
Make Impossible States Impossibleを 意識してReactのPropsを設計しよう
ikumatadokoro
0
240
CSC509 Lecture 13
javiergs
PRO
0
110
Remix on Hono on Cloudflare Workers
yusukebe
1
300
OnlineTestConf: Test Automation Friend or Foe
maaretp
0
120
TypeScriptでライブラリとの依存を限定的にする方法
tutinoko
3
700
3rd party scriptでもReactを使いたい! Preact + Reactのハイブリッド開発
righttouch
PRO
1
610
OSSで起業してもうすぐ10年 / Open Source Conference 2024 Shimane
furukawayasuto
0
110
みんなでプロポーザルを書いてみた
yuriko1211
0
280

Featured

See All Featured
Optimising Largest Contentful Paint
csswizardry
33
2.9k
Adopting Sorbet at Scale
ufuk
73
9.1k
Building Adaptive Systems
keathley
38
2.3k
How GitHub (no longer) Works
holman
310
140k
Embracing the Ebb and Flow
colly
84
4.5k
Building Better People: How to give real-time feedback that sticks.
wjessup
364
19k
Practical Orchestrator
shlominoach
186
10k
The MySQL Ecosystem @ GitHub 2015
samlambert
250
12k
It's Worth the Effort
3n
183
27k
4 Signs Your Business is Dying
shpigford
180
21k
Large-scale JavaScript Application Architecture
addyosmani
510
110k
Let's Do A Bunch of Simple Stuff to Make Websites Faster
chriscoyier
506
140k

Transcript

  1. The Darkside of GraphQL GraphQL is so query-ous, it's bound

    to leave you REST-less. 02.28.2023

  2. Why GraphQL ? ➔Increased efficiency - Request exact data you

    need. Nothing More, Nothing Less ➔Better flexibility - Evolve and iterate on the API without impacting clients ➔Facilitates collaboration - GraphQL provides a common language for both frontend and backend Copyright ©2023 Cequence Security | ALL RIGHTS RESERVED PUN Why settle for the simplicity of REST when you can spend your days writing complex GraphQL schemas that nobody understands?

  3. How is GraphQL Different from REST ? Copyright ©2023 Cequence

    Security | ALL RIGHTS RESERVED

  4. Common GraphQL Endpoints Copyright ©2023 Cequence Security | ALL RIGHTS

    RESERVED TIP I would rather create a wordlist of common GraphQL Endpoints and pass it to FFUF, DirBuster, etc 1./graphql 2./graphql.php 3./graphiql 4./v1/explorer 5./v1/graphiql 6./v2/graphql/console List of Common API Endpoints

  5. DIFFERENT TYPES OF QUERIES IN GRAPHQL Copyright ©2023 Cequence Security

    | ALL RIGHTS RESERVED PUN "A GraphQL query is like a conversation with a waiter at a restaurant. You tell the waiter what you want to eat (i.e., the data you want to retrieve), and the waiter brings it to your table. But unlike a restaurant, you don't have to leave a tip!"

  6. Copyright ©2023 Cequence Security | ALL RIGHTS RESERVED QUERY A

    query is used to retrieve data from a GraphQL server. It is analogous to a GET request in a REST API. A query consists of a set of fields that define the data that the client wants to fetch from the server. A mutation is used to modify data on a GraphQL server. It is analogous to a POST, PUT, or DELETE request in a REST API. A mutation consists of a set of input arguments and fields that define the data that the client wants to change on the server. A subscription is used to receive real-time updates from a GraphQL server. It is similar to a query, but instead of returning a single result, a subscription returns a stream of data that is sent to the client whenever the server's data changes. MUTATION SUBSCRIPTION

  7. ATTACKER'S PERSPECTIVE TO GRAPHQL Copyright ©2023 Cequence Security | ALL

    RIGHTS RESERVED PUN Why did the GraphQL developer refuse to use REST? Because they didn't want to get caught up in a "REST-riction" when it came to querying data!

  8. THE INTROSPECTION Copyright ©2023 Cequence Security | ALL RIGHTS RESERVED

    PUN Why did the GraphQL schema go to therapy? Because it needed some introspecc-tion! GraphQL introspection is a feature that allows a GraphQL client to query the GraphQL schema at runtime to get information about the available types, fields, and directives that the schema supports. This information can be used to understand the schema's structure, generate documentation, or even to dynamically generate GraphQL queries and mutations. INTROSPECTION QUERY

  9. Introspection can reveal sensitive information about the application's underlying data

    model. Copyright ©2023 Cequence Security | ALL RIGHTS RESERVED Why is Introspection a vulnerability? TIP The output of Introspection might not be readable. To view in much better way use “apis.guru/graphql- voyager/”

  10. Copyright ©2023 Cequence Security | ALL RIGHTS RESERVED why we

    use graphql- voyager?

  11. Copyright ©2023 Cequence Security | ALL RIGHTS RESERVED I call

    it "The Voyager Magic"

  12. Copyright ©2023 Cequence Security | ALL RIGHTS RESERVED

  13. Batching is a technique used in GraphQL to optimize queries

    by allowing multiple queries to be sent in a single HTTP request Copyright ©2023 Cequence Security | ALL RIGHTS RESERVED Can we exploit Batching in GraphQL? TIP GraphQL batching is not inherently a vulnerability but … let's find out

  14. EXPLOIT FOR BATCHING Copyright ©2023 Cequence Security | ALL RIGHTS

    RESERVED TIP Use “BatchQL” tool by AssetNote. The most common attack for batching is Denial of Service (DoS) attack. If an attacker sends a large number of batched queries that require significant processing, it could cause the server to become overwhelmed and result in a denial- of-service attack. PoC in Next Slide

  15. Copyright ©2023 Cequence Security | ALL RIGHTS RESERVED Note the

    Execution Time

  16. Copyright ©2023 Cequence Security | ALL RIGHTS RESERVED Ahm... Ahm...

  17. Authentication Bypass with the help of Batching. Copyright ©2023 Cequence

    Security | ALL RIGHTS RESERVED TIP Majorly works where 2Fa is present.

  18. BYPASSING 2FA Copyright ©2023 Cequence Security | ALL RIGHTS RESERVED

    TIP Use “BatchQL” tool by AssetNote. We can see that we pass 3 different verification code and even if one code is correct, we will get the successful response. Credit: Assetnote

  19. Testing for Directive Overloading Copyright ©2023 Cequence Security | ALL

    RIGHTS RESERVED TIP Directive overloading is neglected because developers and hackers are concentrating on Batching. Let's see a Live PoC

  20. WHAT ARE RUNTIME DIRECTIVES? Copyright ©2023 Cequence Security | ALL

    RIGHTS RESERVED The purpose of runtime directives is to modify the execution. There are two main runtime directives in GraphQL: @skip and @include • @skip(if: ...) skips the selection if the if: ... value is truthy • @include(if: ...) includes the selection if the if: ... value is truthy Note the Execution Time TIP Multiple errors confirms that server is vulnerable to directive overloading.

  21. Copyright ©2023 Cequence Security | ALL RIGHTS RESERVED

  22. POSSIBLE MITIGATIONS Copyright ©2023 Cequence Security | ALL RIGHTS RESERVED

    • Implement depth limiting for incoming GraphQL queries • Perform query cost analysis to limit expensive queries • Enforce rate-limiting for incoming requests per API client • Add timeouts for both the infrastructure and API layer • Disable introspection queries in public APIs • Use a whitelist for allowed characters • Add pagination to limit the amount of information that can be accessed by a single request

  23. To Succeed, Security Teams Need Unified API Protection An Integrated

    Solution Across the Entire API Protection Lifecycle Copyright ©2023 Cequence Security | ALL RIGHTS RESERVED Continuous API Protection Lifecycle Discovery Identify Public Facing APIs Inventory Provide Unified Inventory of ALL APIs Compliance Ensure Adherence to Security and Governance Best Practices Testing Secure New APIs Before Go-Live Prevention Block Attacks Natively in Real Time Detection Detect Attacks as They Happen

  24. Thank You Merci Gracias Danke Copyright ©2023 Cequence Security |

    ALL RIGHTS RESERVED Did someone mention that Cequence can provide you with free security assessment? Grazie Dhanyavaad Shukraan Arigato