DevSecCon Seatlle 2019 - Workshop
The workshop is meant for developers, architects and security folks. During the workshop we will learn how to setup a GraphQL project, define a schema, create Query, Mutation and Subscription for a "fake" social network. We will learn what are the main security issues to consider when developing a GraphQL application:
Introspection: information disclosure
/graphql as a single point of failure (DoS attacks)
IDOR
Broken Access control
Injections
Once we get familiar with the issues, we will explain how to avoid it and/or fix it.
Attacking and defending GraphQL applications: a hands-on approach
1. Seattle | September 16-17, 2019
Attacking and defending GraphQL
applications: a hands-on approach
DAVIDE CIOCCIA
STEFAN PETRUSHEVSKI
2. Seattle | September 16-17, 2019
$id
Davide Cioccia
@davide107
david3107
Stefan Petrushevski
@ztefan
theztefan
3. Seattle | September 16-17, 2019
Agenda
• GraphQL basics: Query, Mutation, Subscription
• Security Implications in GraphQL
• Lab1: Introspection
• Lab2: DoS
• Lab3: Mutations
• Lab4: IDOR and Authorization bypass
• Lab5: Injections
4. Seattle | September 16-17, 2019
GraphQL
https://graphql.org/
A query language for your API
GraphQL is a query language for APIs and a runtime for fulfilling those
queries with your existing data. GraphQL provides a complete and
understandable description of the data in your API, gives clients the power
to ask for exactly what they need and nothing more,
makes it easier to evolve APIs over time, and enables powerful
developer tools.
5. Seattle | September 16-17, 2019
GraphQL
Optimizing the data fetching problem by
switching from imperative to declarative
data fetching
19. Seattle | September 16-17, 2019
What can go wrong
• Introspection
• DoS
• Injections
• Broken Authorization
• Insecure Direct Object Reference (IDOR)
21. Seattle | September 16-17, 2019
What’s introspection
• Allows us to ask a GraphQL schema for information about:
• Queries
• Mutations
• Subscriptions
• Types
• Directives
22. Seattle | September 16-17, 2019
What can we ask for
• Querying all available types in a schema
• __type
• __typename
• All available queries
• queryType
• deprecations
• List of enumerator values
• __type(name: "<ENUM TYPE>")
• All types associated with an Interface or Union
• __type(name: "<INTERFACE OR UNION TYPE>")
24. Seattle | September 16-17, 2019
How can we abuse it?
• Information disclosure
• Sensitive information related to the objects
• Retrieve “hidden” queries to bypass controls
• Use it as a steppingstone for further attacks
25. Seattle | September 16-17, 2019
How do we prevent it?
• Disable introspection. D’oh!
• Npm module
• https://www.npmjs.com/package/graphql-disable-introspection
• One Python hack
class NoIntrospection(ValidationRule):
def enter_Field(self, node, key, parent, path, ancestors):
field_name = node.name.value
if field_name == "__schema" or field_name == "__type":
self.context.report_error(
GraphQLError(u"GraphQL introspection is not allowed", [node])
)
35. Seattle | September 16-17, 2019
How do we prevent it?
• Limit Maximum Query Depth
• Calculate Query Complexity
• Throttling Based on Server Time
• Audit your query before production
37. Seattle | September 16-17, 2019
Limit Maximum Query Depth
• Pros
• Because the AST (Abstract Syntax
Tree) is statically analyzed the
query is never executed
• Cons
• It’s very difficult to cover all the
possible query combinations
38. Seattle | September 16-17, 2019
Calculate Query Complexity
Allow only LOW query complexity. If we set query complexity to 4 this query would fail
39. Seattle | September 16-17, 2019
Calculate Query Complexity
• Pros
• Covers more scenarios
• Do not execute the query
• Cons
• Hard to maintain
• Difficult to calculate
• Mutations can be tricky :/
40. Seattle | September 16-17, 2019
Audit your query before production
• https://www.npmjs.com/package/graphql-validation-complexity
• https://github.com/4Catalyzer/graphql-validation-complexity
• https://github.com/slicknode/graphql-query-complexity
46. Seattle | September 16-17, 2019
So IDOR is a GraphQL problem
….but wrong implementation of GraphQL filtering functions can lead to
IDOR vulnerabilities.
47. Seattle | September 16-17, 2019
What can go wrong?
• Mutations containing predictable IDs
• Perform action on behalf of other users
• Query to retrieve data about single elements
• Retrieve other users' data
48. Seattle | September 16-17, 2019
How do we discover IDOR? Step 1
• Use introspection to find all the available queries
49. Seattle | September 16-17, 2019
How do we discover IDOR? Step 2
• For each query detect the associated Type
• For each object print out the available Fields
50. Seattle | September 16-17, 2019
How do we discover IDOR? Step 3
• For each object detect predictable element (Int, Enum, etc)
51. Seattle | September 16-17, 2019
How do we discover IDOR? Step 4
• Try different values and see what happens :)
56. Seattle | September 16-17, 2019
Are Injections possible?
• Yes, injections vulnerabilities are present
• Yes, because of bad implementation (bad coding)
• All web vulnerabilities are potentially present in GraphQL
57. Seattle | September 16-17, 2019
How do we prevent Injections (and other)?
• Use secure coding principles and practices
61. Seattle | September 16-17, 2019
Goal
• Use the knowledge from previous labs (hint: introspection)
• There are two different injection vulnerabilities in the lab. Exploit them to:
• Get a remote shell on the machine (use port 1337)
• Get the passwords of all administrator users
63. Seattle | September 16-17, 2019
About defdev.eu
• Defensive development – hardening developers
• Hi-end secure development and S/SDLC trainings
• handsons/labs, DIY testing/hacking, exams, certification
• senior security testers and enterprise developers on stage
• from mobile to mainframe
• from C#, JS and Java to Go, Swift and Kotlin
• from practical cybersec to security in CI/CD