Open In App

GraphQL – Attacks and Security

Last Updated : 23 Aug, 2022
Improve
Improve
Like Article
Like
Save
Share
Report

GraphQL is a query language for APIs, which uses the graph structure to store data. It’s like any other REST APIs. Nowadays the GraphQL implementation is very common in application development. Tech companies like Facebook, Yahoo, Shopify, Twitter also Implemented GraphQL for their internal communication, mutation, and deletion of data.

Usually, when developers write an API they write lots of endpoints for various operations. In the below example, it is shown that how the application uses various REST API endpoints to access different services 

  1. GET /api/resource_1
  2. GET /api/resource_2
  3. POST /api/resource_1

This results in several endpoints, one per each CRUD ( Create, Read, Update, Delete ) operation per resource for ex-post, comments, user data, files, but GraphQL is a special type of API we have to manage and use only one endpoint. Generally, we represent data in form of spreadsheets that has rows and columns but in the web application, we require all the data to be linked to each other and the natural form of this data is the graph. GraphQL is more common in new applications.

GraphQL has features like Queries, Mutation, Fragments, and Meta-field all these features make GraphQL very powerful and helps to fetch, update and delete data in an organized and simpler way. Queries are flexible to use and by using query we can request any entity including related entities and fields associated with that entities. Queries are written as a function that can return one or more values also we can include arguments.

Example:

REQUEST:-
{
  student {
    name,
    id,
    password
  }
}

RESPONSE:-
{
  "data": {
    "student": {
      "name": "Siddhant"
      "id" : "112"
      "password" : "GFG2020"
    }
  }
}

Working of GraphQL:

There are two core parts that determine the working of GraphQL:

  1. Schema
  2. Resolve functions

Schema:

The schema in GraphQL is a model of data that can be queried from the server. It sets the type of valid and authorized queries that a client can make.

Take a look at the below GraphQL schema notation:

type Employee {
  id: Int
  name: String
  posts: [Post]
}type Salary{
  id: Int
  title: String
  Amount: Int
  employee: Employee
}type Query {
  getEmployee(id: Int): Employee
  getSalary(titleContains: String): [Post]
}schema {
  query: Query
}

In the above schema, there are 3 types namely Employee, Salary, and Query. Here the Query marks the entry point into the schema. All queries must start with either getEmployee or getSalary to be validated. Also, the Employee and Salary objects reference each other.

Resolve Functions:

Resolve functions in GraphQL act similar to a router. They are responsible for establishing relationships between fields and types in a GraphQL schema. These functions are compatible with all types of backends even other GraphQL servers. An example resolve function is shown below:

getEmployee(_, args){
  return sql.raw('SELECT * FROM Employee WHERE id = %s', args.id);
}Salary(employee){
  return request(`https://YOUR_URL/${employee.id}`);
}

Note: It is not recommended to write query and URL directly in the resolve function.

Approach To Test GraphQL Bugs:

1. Introspection:

Introspection is one of the weird features of GraphQL. This is very important to do the introspection during API testing In GraphQL. It gives lots of information about the implementation of GraphQL. There are three most common bugs related to graphql endpoints: those are business logic bugs, IDORS, information disclosure, and firewall bypass. GraphQL APIs specifically located at particular endpoints like qql, graphql, console, graphilq, etc. The hardest part of graphql hunting is understanding syntax. After understanding implemented syntax we can easily move forward for testing GraphQL APIs.

  1. Intercept the HTTP request that you want to test
  2. Replace the query content with a generic introspection query in POST request
  3. Try the same process on different endpoints
  4. If you got 200 OK responses then you will get some internal database in the response body.
  5. Use Inql burp suite extension to understand the implementation of GraphQL

2. Insufficient Rate Limiting:

Always check for the insufficient rate limiting on API endpoints. It may be possible to brute force the GraphQL query to get information from back-end servers. An attacker may brute force the password reset token on the password reset endpoint to change the victim’s password. This small attack leads to a complete account takeover vulnerability. Weak implementation of rate-limiting protection leads to DDos attacks which result in server down.

3. Missing Validation In CRUD Functionality:

In the application Create, Read, Update and Delete are the most important and critical functionality. GraphQL seems very simple when its comes to use but somewhat complex from the implementation point of view. During the implementation of each feature, always use the authorization token. Each token must be a unique one. To check this bug check every functionality by changing query parameters (like username, user id, etc.).If it gives SUCCESS results for manipulated request, then there is Missing Validation In CRUD Functionality.

Tools To Test GraphQL Security:

  1. GraphQL voyager
  2. Inql burp suite extension
  3. GraphQL-path-enum

Similar Reads

Types of DNS Attacks and Tactics for Security
Prerequisite - Domain Name Server, DNS Spoofing or DNS Cache poisoning Domain Name Server is a prominent building block of the Internet. It's developed as a system to convert alphabetical names into IP addresses, allowing users to access websites and exchange e-mails. DNS is organized into a tree-like infrastructure where the first level contains t
3 min read
Top 10 Common Frontend Security Attacks
In today’s digitization era, web applications are more prevalent than before as our every need from basic to higher (shopping, Banking, Booking, Medical needs, etc) has web-based solutions in place, and with this increase in web-based services, security threats have also increased parallelly. For protecting web applications, taking front-end securi
8 min read
Difference between Cyber Security and Information Security
The terms Cyber Security and Information Security are often used interchangeably. As they both are responsible for the security and protecting the computer system from threats and information breaches and often Cybersecurity and information security are so closely linked that they may seem synonymous and unfortunately, they are used synonymously. I
4 min read
Difference between Network Security and Cyber Security
Network Security: Network Security is the measures taken by any enterprise or organization to secure its computer network and data using both hardware and software systems. This aims at securing the confidentiality and accessibility of the data and network. Every company or organization that handles a large amount of data, has a degree of solutions
4 min read
Difference between Information Security and Network Security
Introduction : Information Security :-Information Security refers to the measures taken to protect and secure information and information systems from unauthorized access, use, disclosure, disruption, modification, or destruction. This includes protecting data and information in physical, technical and administrative ways to ensure its confidential
3 min read
How Security System Should Evolve to Handle Cyber Security Threats and Vulnerabilities?
Stories of organizations paralyzed by cybersecurity threats and vulnerabilities are at their peak. According to a report published by Symantec Corp, India is one of the top five countries that have become the victim of cyber crime. Nowadays, modern technologies such as cloud computing, IoT, cognitive computing, etc. are categorized as the critical
8 min read
Types of Phishing Attacks and How to Identify them
Phishing is a kind of cyberattack that is used to steal users' information including login details and credit card numbers. Most of the data breaches involve scams seeking to steal people's sensitive information or login credentials, which is a type of phishing attack. A phishing attack can be carried out with the help of fake emails and cloning le
8 min read
Web Server and its Types of Attacks
Web servers are where websites are stored. They are computers that run an operating system and are connected to a database to run multiple applications. A web server's primary responsibility is to show website content by storing, processing, and distributing web pages to users. Web Server Attack:Any attempt by a malicious actor to undermine the sec
5 min read
Principle of Information System Security : Security System Development Life Cycle
INTRODUCTION: The Security System Development Life Cycle (SSDLC) is a framework used to manage the development, maintenance, and retirement of an organization's information security systems. The SSDLC is a cyclical process that includes the following phases: Planning: During this phase, the organization identifies its information security needs and
7 min read
What is Mobile Security in Cyber Security?
Mobile device security is an important to keep our smartphones, tablets, and other portable devices safe from cyber criminals and hackers. The main goal of mobile device security is to keep our devices and other electronic devices safe from being hacked or other illegal activities. In our daily lives, it is very crucial to protect our private infor
6 min read