APIsecure 2023 - Learn how to attack and mitigate vulnerabilities in GraphQL, Parth Shukla (Cequence Security)

Transcript

1. The Darkside of GraphQL GraphQL is so query-ous, it's bound

   to leave you REST-less. 02.28.2023

2. Why GraphQL ? ➔Increased efficiency - Request exact data you

   need. Nothing More, Nothing Less ➔Better flexibility - Evolve and iterate on the API without impacting clients ➔Facilitates collaboration - GraphQL provides a common language for both frontend and backend Copyright ©2023 Cequence Security | ALL RIGHTS RESERVED PUN Why settle for the simplicity of REST when you can spend your days writing complex GraphQL schemas that nobody understands?

3. How is GraphQL Different from REST ? Copyright ©2023 Cequence

   Security | ALL RIGHTS RESERVED

4. Common GraphQL Endpoints Copyright ©2023 Cequence Security | ALL RIGHTS

   RESERVED TIP I would rather create a wordlist of common GraphQL Endpoints and pass it to FFUF, DirBuster, etc 1./graphql 2./graphql.php 3./graphiql 4./v1/explorer 5./v1/graphiql 6./v2/graphql/console List of Common API Endpoints

5. DIFFERENT TYPES OF QUERIES IN GRAPHQL Copyright ©2023 Cequence Security

   | ALL RIGHTS RESERVED PUN "A GraphQL query is like a conversation with a waiter at a restaurant. You tell the waiter what you want to eat (i.e., the data you want to retrieve), and the waiter brings it to your table. But unlike a restaurant, you don't have to leave a tip!"

6. Copyright ©2023 Cequence Security | ALL RIGHTS RESERVED QUERY A

   query is used to retrieve data from a GraphQL server. It is analogous to a GET request in a REST API. A query consists of a set of fields that define the data that the client wants to fetch from the server. A mutation is used to modify data on a GraphQL server. It is analogous to a POST, PUT, or DELETE request in a REST API. A mutation consists of a set of input arguments and fields that define the data that the client wants to change on the server. A subscription is used to receive real-time updates from a GraphQL server. It is similar to a query, but instead of returning a single result, a subscription returns a stream of data that is sent to the client whenever the server's data changes. MUTATION SUBSCRIPTION

7. ATTACKER'S PERSPECTIVE TO GRAPHQL Copyright ©2023 Cequence Security | ALL

   RIGHTS RESERVED PUN Why did the GraphQL developer refuse to use REST? Because they didn't want to get caught up in a "REST-riction" when it came to querying data!

8. THE INTROSPECTION Copyright ©2023 Cequence Security | ALL RIGHTS RESERVED

   PUN Why did the GraphQL schema go to therapy? Because it needed some introspecc-tion! GraphQL introspection is a feature that allows a GraphQL client to query the GraphQL schema at runtime to get information about the available types, fields, and directives that the schema supports. This information can be used to understand the schema's structure, generate documentation, or even to dynamically generate GraphQL queries and mutations. INTROSPECTION QUERY

9. Introspection can reveal sensitive information about the application's underlying data

   model. Copyright ©2023 Cequence Security | ALL RIGHTS RESERVED Why is Introspection a vulnerability? TIP The output of Introspection might not be readable. To view in much better way use “apis.guru/graphql- voyager/”

10. Copyright ©2023 Cequence Security | ALL RIGHTS RESERVED why we

    use graphql- voyager?

11. Copyright ©2023 Cequence Security | ALL RIGHTS RESERVED I call

    it "The Voyager Magic"

12. Copyright ©2023 Cequence Security | ALL RIGHTS RESERVED

13. Batching is a technique used in GraphQL to optimize queries

    by allowing multiple queries to be sent in a single HTTP request Copyright ©2023 Cequence Security | ALL RIGHTS RESERVED Can we exploit Batching in GraphQL? TIP GraphQL batching is not inherently a vulnerability but … let's find out

14. EXPLOIT FOR BATCHING Copyright ©2023 Cequence Security | ALL RIGHTS

    RESERVED TIP Use “BatchQL” tool by AssetNote. The most common attack for batching is Denial of Service (DoS) attack. If an attacker sends a large number of batched queries that require significant processing, it could cause the server to become overwhelmed and result in a denial- of-service attack. PoC in Next Slide

15. Copyright ©2023 Cequence Security | ALL RIGHTS RESERVED Note the

    Execution Time

16. Copyright ©2023 Cequence Security | ALL RIGHTS RESERVED Ahm... Ahm...

17. Authentication Bypass with the help of Batching. Copyright ©2023 Cequence

    Security | ALL RIGHTS RESERVED TIP Majorly works where 2Fa is present.

18. BYPASSING 2FA Copyright ©2023 Cequence Security | ALL RIGHTS RESERVED

    TIP Use “BatchQL” tool by AssetNote. We can see that we pass 3 different verification code and even if one code is correct, we will get the successful response. Credit: Assetnote

19. Testing for Directive Overloading Copyright ©2023 Cequence Security | ALL

    RIGHTS RESERVED TIP Directive overloading is neglected because developers and hackers are concentrating on Batching. Let's see a Live PoC

20. WHAT ARE RUNTIME DIRECTIVES? Copyright ©2023 Cequence Security | ALL

    RIGHTS RESERVED The purpose of runtime directives is to modify the execution. There are two main runtime directives in GraphQL: @skip and @include • @skip(if: ...) skips the selection if the if: ... value is truthy • @include(if: ...) includes the selection if the if: ... value is truthy Note the Execution Time TIP Multiple errors confirms that server is vulnerable to directive overloading.

21. Copyright ©2023 Cequence Security | ALL RIGHTS RESERVED

22. POSSIBLE MITIGATIONS Copyright ©2023 Cequence Security | ALL RIGHTS RESERVED

    • Implement depth limiting for incoming GraphQL queries • Perform query cost analysis to limit expensive queries • Enforce rate-limiting for incoming requests per API client • Add timeouts for both the infrastructure and API layer • Disable introspection queries in public APIs • Use a whitelist for allowed characters • Add pagination to limit the amount of information that can be accessed by a single request

23. To Succeed, Security Teams Need Unified API Protection An Integrated

    Solution Across the Entire API Protection Lifecycle Copyright ©2023 Cequence Security | ALL RIGHTS RESERVED Continuous API Protection Lifecycle Discovery Identify Public Facing APIs Inventory Provide Unified Inventory of ALL APIs Compliance Ensure Adherence to Security and Governance Best Practices Testing Secure New APIs Before Go-Live Prevention Block Attacks Natively in Real Time Detection Detect Attacks as They Happen

24. Thank You Merci Gracias Danke Copyright ©2023 Cequence Security |

    ALL RIGHTS RESERVED Did someone mention that Cequence can provide you with free security assessment? Grazie Dhanyavaad Shukraan Arigato