In this series we will look to understand GraphQL and the attacks we can perform against it. If you’re interested in the official documentation, you can find out more about GraphQL here.
Introduction to GraphQL
GraphQL offers clients the power to ask for exactly what they need and nothing more. This leads to reduced amounts of data traveling over the network, as well as more agile front-end development since developers can adapt the data returned without backend changes.
The strength of GraphQL lies in its flexibility; a single endpoint can handle a multitude of different queries. However, more often than not, flexibility comes with the price of poor security.
Common Attacks on GraphQL
Vulnerabilities in GraphQL often arise from design and implementation flaws. The following are some of the more common attacks:
- Introspection Attacks: GraphQL provides an introspection system that allows users to ask what types are available. If not properly disabled or protected, malicious users can retrieve the entire schema.
- Denial of Service (DoS): Given its flexible query nature, an attacker can craft complex, nested queries that can lead to extensive resource consumption.
- Insecure Direct Object Reference (IDOR): This occurs when an application exposes internal objects by their database identifier without adequate authorization checks.
- Rate Limiting Bypass: Without adequate rate limiting, malicious actors can bombard the GraphQL endpoint with queries, leading to DoS.
- Missing Authorization: Lack of proper authorization checks can allow unauthorized access to sensitive data or unauthorized mutation of data.
Finding GraphQL Endpoints
Before we can exploiting a GraphQL service, we need to find endponits. Remember that GraphQL typically uses a single endpoint for all requests.
Universal Queries: By sending a query like query{__typename}
, we can identify if an endpoint is a GraphQL service. This exploits the reserved field __typename
in GraphQL that returns the type of queried object.
Common Endpoints: The following are the usual suspects for GraphQL endpoints:
- /graphql
- /api
- /api/graphql
- /graphql/api
- /graphql/graphql
By appending common paths like /v1
or using different HTTP methods, we can further probe for hidden GraphQL endpoints.
Exploiting Unsanitized Arguments
For our first common attack, we will focus on exploiting unsanitized arguments. Imagine a social media platform where users can mark their posts as private. If an attacker knows the post ID, and if the platform doesn’t correctly sanitize the ‘visibility’ argument, they can view private posts.
Intended Query:
query
{
post(postID: 456) {
content
visibility
}
}
query {
post(postID: 456, visibility: "public") {
content
}
}
visibility
to “public”, the we can bypass checks on the post’s visibility status.Wrapping up
Penetration Testing – PCI Compliance – Auditing
See How We Can Secure Your Assets
Let’s talk about how TCM Security can solve your cybersecurity needs. Give us a call, send us an e-mail, or fill out the contact form below to get started.