Offensive-GraphQL-API-Exploitation

Transcript

1. O F F E N S I V E G

   R A P H Q L A P I E X P L O I T A T I O N A R U N . S

2. whoami Query whoami { Arun.S Senior Security Consultant @ IBM

   India Software Labs. Speaker at Conferences and Communities like c0c0n Bsides Delhi, Null/OWASP. Null Bangalore Chapter Lead, Member of OWASP & BSides Bangalore. Certified – OSCP, eWPT,ECSA etc., }

3. GraphQL • GraphQL is open sourced by Facebook. • GraphQL

   is a query language for APIs - not databases. • GraphQL is often confused with being a database technology. • GraphQL server only exposes a single endpoint. Howtographql.com

4. GraphQL Schema SDL - GraphQL has its own type system

   that’s used to define the schema of an API. The syntax for writing schemas is called Schema Definition Language (SDL). Queries • Used for retrieving data/results. • Similar to GET in REST. Mutation • Used for some state changing activities. • Similar to POST/PUT/DELETE. Subscriptions • Used for Events/Realtime Updates.

5. Link: https://lighthouse-php.com/tutorial/#what-is-graphql

6. S S T R E N G T H S

   Strengths GraphQL Architecture is gaining more popularity in the recent days. Some of the reasons I can think of are; • No More Over & UnderFetching. • Simple & Efficient to Use. • Evolve APIs without versioning issues. • Schema Introspection • Adapts to different requirements for different clients. • No Wonder that big Facebook, Shopify, Pinterest, HackerOne etc.,

7. S S T R E N G T H S

   REST

8. S S T R E N G T H S

   GraphQL

9. S S T R E N G T H S

   GraphQL REST

10. W W E A K N E S S E

    S Weaknesses Every technology has some disadvantages, and Graphql do have few disadvantages. • Query Complexity & Depths. • Rate Limiting & Timeouts. • Caching.

11. O O P P O R T U N I

    T I E S Opportunity for Hackers • There is a wide scope for the pentesters & bug bounty hunters on GraphQL. • The GraphQL Endpoints like /graphql or /graphiql are still publicly available out there due missing security best practices.

12. O R E C O N - I N T

    R O S P E C T I O N A L L O W E D queries/ Mutation via schema Endpoint Fuzzing &debug=1

13. O R E C O N T O R E

    S C U E W H E N I N T R O S P E C T I O N D I S A B L E D Build Queries & Mutations Crawl WebApp Parse JS Files

14. O L O O K F O R T H

    E A U T H E N T I C A T I O N No- Auth/Pro -tections on Resolvers JWT ACL

15. O T O O L S T O R E

    S C U E GQL PARSER INQL GRAPHQL VOYAGER

16. O T O O L S T O R E

    S C U E GRAPHQL VOYAGER

17. O T O O L S T O R E

    S C U E GQL PARSER

18. O T O O L S T O R E

    S C U E INQL

19. O L A B S T O P R A

    C T I C E Pentester Lab GQL Goat Digi Ninja Lab

20. T T H R E A T S Threats!!! GraphQL

    gives enormous power to clients. But with great power come great responsibilities !!!

21. T T H R E A T S Vulnerabilities!!! Most

    of all vulnerabilities related to REST APIs & WebApp are applicable for GraphQL as well.
22. None

23. T T H R E A T S Threats!!! GraphQL

    is great, because it gives client so much more power. But if not used properly it could cost them more they can imagine.

24. T C O M M O N T H R

    E A T S T O A V O I D Threats!!! There are many approaches to secure your GraphQL server against these queries, but none of them is bullet proof. It’s important to know what options are available and know their limits and take best decisions out of it!. • Disable well known /graphql & /graphiql endpoints from the domain. • Craft your own schema and avoid using autogenerated SDL which creates queries and mutations. • Input validation, Authentication & Authorization should never be forgotten. • Never trust user inputs. • Enforce a limit on maximum query depth(~<10), Query complexity, timeouts & enabled throttling based on the server time & query complexity.

25. References Labs: • https://github.com/CarveSystems/vulnerable-graphql-api • https://graphqlab.digi.ninja/ • https://pentesterlab.com/exercises/graphql/online • https://www.hackerone.com/blog/graphql-week-

    hacker101-capture-flag-challenges Tools: • https://github.com/doyensec/inql • https://github.com/br3akp0int/GQLParser

26. Credits Slide Template Credit: https://hislide.io/ Demo App Credit: https://carvesystems.com/

27. Thank youJ