If you've been working on web application security testing for the last few years, then you’ve probably been aware of GraphQL appearing more frequently. It has slowly been taking over as the de facto standard from JSON RESTful interfaces.
Outside of my work with Escaped which I also spend part of my day as the CTO of a mobile development company. Over the last year or so nearly all of our new projects have utilized GraphQL backends and it is being requested by clients specifically now. Personally, I found it a little annoying at first but after working with it for a while I'm starting to get onboard and drink the Kool-Aid.
Reducing Your Backend Burden ;)
The framework puts the impetus for creating the types of queries needed for the application on the front-end/mobile developer.
They can query the endpoints in a rich way that means there’s not a constant chatter between back and front-end developers asking for an endpoint with a specific route that returns x or y data. Front-end now has control over that. This does, as with any framework designed to make life easier open up it for new forms of abuse.
When writing this article the leading GraphQL software provider appears to be Apollo GraphQL but just about anything coding language now seems to have its offering.
GraphQL in development environment offers a playground, which shows which queries (get) and mutations (set) are available, and lets you see the results. This again reduces the need for developer conversations.
If you’re going to perform a security test on a GraphQL API for the first time, its a little bit of a leap from the Restful experience. Here's some resources that might be useful as prep for your test:
1. The Basics
graphql.org offers and nice walk through of some basic queries and mutations. Their learning section starts here. There is also a free YouTube video series which is geared more towards developers but the first few chapters are definitely worth a watch.
There's a very simple demo which can be found on nodal. This is a good place to start for a quick test drive of GraphQL if you're a complete newbie.
4. Developer How-tos.
Before you start to understand how developers secure their API's, so you can break them, A couple of good articles are listed below:
- How to survive a Penetration Test as a GraphQL developer
- Securing Your GraphQL API from Malicious Queries
- Protecting Your GraphQL API From Security Vulnerabilities
5. Get Tooled Up 🔪
Most penetration testers I know use Burp Suite as default. There are several GraphQL extensions for burp.
Personal I’ve found GraphQL Raider the most useful.
This makes working with the endpoints a little less painful.
6. Find Those Vulnerabilities
Many of the GraphQL API's vulnerabilities are familiar attacks such as SQL injection.
We recently managed to bypass authentication using the classic 1=1 query in an authentication field.
There are some decent blog posts about which detail GraphQL specific vulnerabilities, a few are noted below:
- GraphQL — Common vulnerabilities & how to exploit them
- Discovering GraphQL endpoints and SQLi vulnerabilities
- Time-Based Blind SQL Injection In GraphQL
If you have anything to comments or resources to add please contact us here
-- The Escaped Team --