Open In App

GraphQL – Attacks and Security

Improve
Improve
Like Article
Like
Save
Share
Report

GraphQL is a query language for APIs, which uses the graph structure to store data. It’s like any other REST APIs. Nowadays the GraphQL implementation is very common in application development. Tech companies like Facebook, Yahoo, Shopify, Twitter also Implemented GraphQL for their internal communication, mutation, and deletion of data.

Usually, when developers write an API they write lots of endpoints for various operations. In the below example, it is shown that how the application uses various REST API endpoints to access different services 

  1. GET /api/resource_1
  2. GET /api/resource_2
  3. POST /api/resource_1

This results in several endpoints, one per each CRUD ( Create, Read, Update, Delete ) operation per resource for ex-post, comments, user data, files, but GraphQL is a special type of API we have to manage and use only one endpoint. Generally, we represent data in form of spreadsheets that has rows and columns but in the web application, we require all the data to be linked to each other and the natural form of this data is the graph. GraphQL is more common in new applications.

GraphQL has features like Queries, Mutation, Fragments, and Meta-field all these features make GraphQL very powerful and helps to fetch, update and delete data in an organized and simpler way. Queries are flexible to use and by using query we can request any entity including related entities and fields associated with that entities. Queries are written as a function that can return one or more values also we can include arguments.

Example:

REQUEST:-
{
  student {
    name,
    id,
    password
  }
}

RESPONSE:-
{
  "data": {
    "student": {
      "name": "Siddhant"
      "id" : "112"
      "password" : "GFG2020"
    }
  }
}

Working of GraphQL:

There are two core parts that determine the working of GraphQL:

  1. Schema
  2. Resolve functions

Schema:

The schema in GraphQL is a model of data that can be queried from the server. It sets the type of valid and authorized queries that a client can make.

Take a look at the below GraphQL schema notation:

type Employee {
  id: Int
  name: String
  posts: [Post]
}type Salary{
  id: Int
  title: String
  Amount: Int
  employee: Employee
}type Query {
  getEmployee(id: Int): Employee
  getSalary(titleContains: String): [Post]
}schema {
  query: Query
}

In the above schema, there are 3 types namely Employee, Salary, and Query. Here the Query marks the entry point into the schema. All queries must start with either getEmployee or getSalary to be validated. Also, the Employee and Salary objects reference each other.

Resolve Functions:

Resolve functions in GraphQL act similar to a router. They are responsible for establishing relationships between fields and types in a GraphQL schema. These functions are compatible with all types of backends even other GraphQL servers. An example resolve function is shown below:

getEmployee(_, args){
  return sql.raw('SELECT * FROM Employee WHERE id = %s', args.id);
}Salary(employee){
  return request(`https://YOUR_URL/${employee.id}`);
}

Note: It is not recommended to write query and URL directly in the resolve function.

Approach To Test GraphQL Bugs:

1. Introspection:

Introspection is one of the weird features of GraphQL. This is very important to do the introspection during API testing In GraphQL. It gives lots of information about the implementation of GraphQL. There are three most common bugs related to graphql endpoints: those are business logic bugs, IDORS, information disclosure, and firewall bypass. GraphQL APIs specifically located at particular endpoints like qql, graphql, console, graphilq, etc. The hardest part of graphql hunting is understanding syntax. After understanding implemented syntax we can easily move forward for testing GraphQL APIs.

  1. Intercept the HTTP request that you want to test
  2. Replace the query content with a generic introspection query in POST request
  3. Try the same process on different endpoints
  4. If you got 200 OK responses then you will get some internal database in the response body.
  5. Use Inql burp suite extension to understand the implementation of GraphQL

2. Insufficient Rate Limiting:

Always check for the insufficient rate limiting on API endpoints. It may be possible to brute force the GraphQL query to get information from back-end servers. An attacker may brute force the password reset token on the password reset endpoint to change the victim’s password. This small attack leads to a complete account takeover vulnerability. Weak implementation of rate-limiting protection leads to DDos attacks which result in server down.

3. Missing Validation In CRUD Functionality:

In the application Create, Read, Update and Delete are the most important and critical functionality. GraphQL seems very simple when its comes to use but somewhat complex from the implementation point of view. During the implementation of each feature, always use the authorization token. Each token must be a unique one. To check this bug check every functionality by changing query parameters (like username, user id, etc.).If it gives SUCCESS results for manipulated request, then there is Missing Validation In CRUD Functionality.

Tools To Test GraphQL Security:

  1. GraphQL voyager
  2. Inql burp suite extension
  3. GraphQL-path-enum

Last Updated : 23 Aug, 2022
Like Article
Save Article
Previous
Next
Share your thoughts in the comments
Similar Reads