My slides for understanding Pentesting for GraphQL Applications. I presented this content at c0c0n and bSides Delhi 2018. Also contains details of my Burp Extension for GraphQL parsing and scanning located here https://github.com/br3akp0int/GQLParser

1. PENTESTING
GRAPHQL APPLICATIONS
Neelu Tripathy
Presented @ bSides Delhi & c0c0n 2018
1

2. ▪ NotSoSecure Global Services
Limited
▪ 8+ years of InfoSec experience
▪ Speaker / Trainer : c0c0n, NullCon,
BlackHat 2017
▪ Loves:Vulnerability Assessments
And Penetration Tests For Web
Applications And Networks,Threat
Modelling, Design Reviews, Red
Teaming, Social Engineering.
▪ OSCP-PWK
▪ br3akp0int@ Null
▪ @NeeluTripathy
2
Neelu Tripathy

3. WHY?
01
How it
works
02
Pentesting
GQL
03
GQL
Security
04
GQLParser
& Scanner
05
Way
Forward
06
3

4. Rest
❑Data intensive per end point
❑Multiple API end points needed
❑Leads to Over fetching or Under
fetching
GraphQL
❑Flexible for rapid product iterations on
the front end
❑Designs can change and won’t affect API
❑Fine grained
❑Low level performance monitoring
❑Strong schema and types
❑Easy structuring of requests between
client and server
4

5. ❑Started 2011: Facebook
❑ Lee Byron, Nick Schrock
❑Usage
❑Made public in 2015
❑multiple interior endpoints to
a single forward facing
endpoint.
❑Vast Language support
❑Data Intensive Platforms
5

6. 6
Multiple
language
support
Source:Npmjs.com

7. Source: www.howtographql.com
GQL Server with
Connected Database
GQLHybridArchitecture
7

8. 8
type Query {
hero: Character
}
type Character {
id: ID!
name: String
friends: [Character]
homeWorld: Planet
species: Species
}
type Planet {
name: String
climate: String
}
type Species {
name: String
lifespan: Int
origin: Planet
}
Schema

9. 9
Query:
{
hero(id: “1q2w3e”){
name
friends {
homeworld{
name
climate
}
species {
name
lifespan
}
}
}
}

10. Mutation:
{
createHero(name:
"Lucas2") {
id
name
}
}
10

11. newHero
user1
user2
user4
user3
11
Subscription:
subscription {
newHero {
id
name
}
}
N
o
t
i
f
i
c
a
t
i
o
n

12. Pentesting Approach to GraphQL Applications
12

13. ❑Strong Type System
❑Langsec
❑Lexing, Parsing,
Matching
❑Abstract Syntax Tree
13
LangSec
Input
Handling
Code
Input lang
Processing
Code
Processing
lang1
Processing
lang2

14. S
T
R
O
N
G
T
Y
P
E
S
Y
S
T
E
M 14

15. SQL Backend
▪ Unless it fails:
▪ Validation in Type
System(Schema)
▪ Resolver needs to sanitize
variables
15

16. {
users(search:
"{"username": {"$regex":
"sue"}, "email":
{"$regex": "sue"}}",
options: "{"skip":
0, "limit": 10}") {
_id
username
fullname
email
}
}
Custom Scalar Types
JSON Scalar
User Defined Types
Assertions about user input
16
type Query { users(search: JSON!, options: JSON!): [User] }

17. {
users(search: "{"email":
{"$gte": ""}}",
options: "{"skip": 0,
"limit": 10}") {
_id
username
fullname
email
}
}
{
users(search: "{"email":
{"$gte": ""}}",
options: "{"fields":
{}}") {
_id
username
fullname
email
}
}
17
Source: http://www.petecorey.com/blog/2017/06/12/graphql-nosql-injection-through-json-types/

18. 18
QUERY STRUCTURE

19. 19
DATA TYPE

20. ▪ Affecting express-graphql package,
versions <0.4.11 >=0.4.0
var marked =
require('marked');
console.log(marked('<script>al
ert(1)</script>'));
// Outputs:
<script>alert(1)</script>
marked.setOptions({sanitize:
true});
console.log(marked('<script>al
ert(1)</script>'));
// Outputs:
<p>&lt;script&gt;alert(1)&lt;/
script&gt;</p>
20

21. ▪ Queries
❑Adding privileged
parameters, id values, key,
tokens to input params
❑Fetch more with unused
output params
▪ Mutations
❑Try to change by replacing:
❑Relevant change parameters,
❑Look for any that define
permissions, context, etc
❑Amount : fetch more than
defaults
21

22. 22
How Not to do Authorization Correct Method

23. 23
▪ /graphql
▪ /graphqlBatch
▪ /graphql.php
▪ /graphiql
▪ /graphql/console/
▪ /graphql.php?debug=
1
▪ Try other Ports for
interactive GQL
Paths
▪ Schema based model
enumeration: Fetching
sensitive attributes
▪ Introspection :
__schema
▪ Deprecated Nodes
▪ Crucial Attributes of
an Object
▪ Data, links in
description
Schema
Fetch All: Look For
Cumulative
Objects, group,
collections, etc to
get a list of all
Entity

24. I
N
T
R
O
S
P
E
C
T
I
O
N
24

25. ❑Error Verbosity, Stack Trace,
Exceptions
❑GraphQL, Client Errors
❑Error Policy:
▪ None
▪ Ignore
▪ All
❑Standard Response >
OperationNames, Null, Line
numbers, Fragment Names, etc
25

26. 26

27. ❑Authentication
❑Authorization(GQLVs Biz Logic)
❑Error Handling
❑Tampering?(Injections, XSS, others)
❑Information Exposure
❑IDOR(Don’t need to know URL,
endpoint, query structure, only
privileged parameter)
❑Single Point of Failure
❑Unpredictable Transaction
volumes
❑Resource Optimization & DoS
▪ Processing Time-out
▪ Query Depth
▪ Complexity
27

28. C
i
r
c
u
l
a
r
a
n
d
N
e
s
t
e
d
Q
u
e
r
i
e
s
28

29. Best Practices: Implementation
❑Nullability
❑Pagination(Amount Limiting)
❑Server-Side Batching & Caching
❑Query Complexity(Query Cost Analysis:
Resource, time, computation: resolver time)
❑Throttling(Time/Complexity)
29

30. 30
{
"scripts": {
"postbuild": "persistgraphql src
api/query-whitelist.json"
}
}
import depthLimit from 'graphql-depth-limit'
import graphqlHTTP from 'express-graphql’
app.use('/graphql', graphqlHTTP((req, res) =>
({
schema,
validationRules: [ depthLimit(10) ]
})))
Persistgraphql
D
E
P
T
H
L
I
M
I
T

31. 31

32. 32

33. 33
ISSUES WHEN PENTESTING GRAPHQL

34. 34

35. BEFORE 35

36. DEMO
GQLPARSER
&
SCANNER
A BURP SUITE
EXTENSION
36

37. Python Based Extension:
GQLParser
Loading in Burp Suite
37

38. ▪ Extension Detects, Parses
GraphQL data
▪ Dynamic Input Fields presented
for testing and editing
▪ Integrates with Scanner for full
coverage
▪ Reduces noise
▪ https://github.com/br3akp0int/
GQLParser
38

39. AFTER
39
40
35
22
-5
0
5
10
15
20
0 2 4 6 8 10
NumberofAttackVectors
Injection Points
Percent of HTTP 400s

40. 40
AUTOMATION >
OPTIMIZATION
CORE GRAPHQL ISSUES
SECURE IMPLEMENTATION

41. 41
▪ http://graphql.org/
▪ https://www.howtographql.com/
▪ https://blog.graph.cool/
▪ https://github.com/rm3l/docker-api-graphql
▪ https://mikewilliamson.wordpress.com/2016/09/15/graphql-and-security/
▪ http://www.petecorey.com/blog/2017/06/12/graphql-nosql-injection-through-json-
types/
▪ https://github.com/rmosolgo/graphql-ruby/issues/167
▪ https://snyk.io/vuln/npm:express-graphql
▪ https://raz0r.name/articles/looting-graphql-endpoints-for-fun-and-profit/
▪ https://labs.detectify.com/2018/03/14/graphql-abuse/
▪ https://nordicapis.com/security-points-to-consider-before-implementing-graphql/
▪ https://github.com/br3akp0int/GQLParser
@NeeluTripathy
@br3akp0int