GraphQL, a query language for your API and a server-side runtime for executing those queries, is rapidly becoming a prevalent technology in modern web applications. This technology, developed by Facebook in 2012 and released as an open-source project in 2015, provides a more efficient and flexible way to query data than traditional REST APIs.
In this series we will look to understand GraphQL and the attacks we can perform against it. If you’re interested in the official documentation, you can find out more about GraphQL here.
Introduction to GraphQL
GraphQL offers clients the power to ask for exactly what they need and nothing more. This leads to reduced amounts of data traveling over the network, as well as more agile front-end development since developers can adapt the data returned without backend changes.
The strength of GraphQL lies in its flexibility; a single endpoint can handle a multitude of different queries. However, more often than not, flexibility comes with the price of poor security.
Common Attacks on GraphQL
Vulnerabilities in GraphQL often arise from design and implementation flaws. The following are some of the more common attacks:
- Introspection Attacks: GraphQL provides an introspection system that allows users to ask what types are available. If not properly disabled or protected, malicious users can retrieve the entire schema.
- Denial of Service (DoS): Given its flexible query nature, an attacker can craft complex, nested queries that can lead to extensive resource consumption.
- Insecure Direct Object Reference (IDOR): This occurs when an application exposes internal objects by their database identifier without adequate authorization checks.
- Rate Limiting Bypass: Without adequate rate limiting, malicious actors can bombard the GraphQL endpoint with queries, leading to DoS.
- Missing Authorization: Lack of proper authorization checks can allow unauthorized access to sensitive data or unauthorized mutation of data.
Finding GraphQL Endpoints
Before we can exploiting a GraphQL service, we need to find endpoints. Remember that GraphQL typically uses a single endpoint for all requests.
Universal Queries: By sending a query like query{__typename}, we can identify if an endpoint is a GraphQL service. This exploits the reserved field __typename in GraphQL that returns the type of queried object.
Common Endpoints: The following are the usual suspects for GraphQL endpoints:
- /graphql
- /api
- /api/graphql
- /graphql/api
- /graphql/graphql
By appending common paths like /v1 or using different HTTP methods, we can further probe for hidden GraphQL endpoints.
Exploiting Unsanitized Arguments
For our first common attack, we will focus on exploiting unsanitized arguments. Imagine a social media platform where users can mark their posts as private. If an attacker knows the post ID, and if the platform doesn’t correctly sanitize the ‘visibility’ argument, they can view private posts.
Intended Query:
query {
post(postID: 456) {
content
visibility
}
}
query {
post(postID: 456, visibility: "public") {
content
}
}
visibility to “public”, the we can bypass checks on the post’s visibility status.Wrapping Up
About the Author: Alex Olsen
Alex is a Web Application Security specialist with experience working across multiple sectors, from single-developer applications all the way up to enterprise web apps with tens of millions of users. He enjoys building applications almost as much as breaking them and has spent many years supporting the shift-left movement by teaching developers, infrastructure engineers, architects, and anyone who would listen about cybersecurity. He created many of the web hacking courses in TCM Security Academy, as well as the PWPA and PWPP certifications.
Alex holds a Master’s Degree in Computing, as well as the PNPT, CEH, and OSCP certifications.
About TCM Security
TCM Security is a veteran-owned, cybersecurity services and education company founded in Charlotte, NC. Our services division has the mission of protecting people, sensitive data, and systems. With decades of combined experience, thousands of hours of practice, and core values from our time in service, we use our skill set to secure your environment. The TCM Security Academy is an educational platform dedicated to providing affordable, top-notch cybersecurity training to our individual students and corporate clients including both self-paced and instructor-led online courses as well as custom training solutions. We also provide several vendor-agnostic, practical hands-on certification exams to ensure proven job-ready skills to prospective employers.
Pentest Services: https://tcmdev.tcmsecurity.com/our-services/
Follow Us: Blog | LinkedIn | YouTube | Twitter | Facebook | Instagram
Contact Us: sales@tcm-sec.com
See How We Can Secure Your Assets
Let’s talk about how TCM Security can solve your cybersecurity needs. Give us a call, send us an e-mail, or fill out the contact form below to get started.