DevSecCon Seatlle 2019 - Workshop The workshop is meant for developers, architects and security folks. During the workshop we will learn how to setup a GraphQL project, define a schema, create Query, Mutation and Subscription for a "fake" social network. We will learn what are the main security issues to consider when developing a GraphQL application: Introspection: information disclosure /graphql as a single point of failure (DoS attacks) IDOR Broken Access control Injections Once we get familiar with the issues, we will explain how to avoid it and/or fix it.

1. Seattle | September 16-17, 2019
Attacking and defending GraphQL
applications: a hands-on approach
DAVIDE CIOCCIA
STEFAN PETRUSHEVSKI

2. Seattle | September 16-17, 2019
$id
Davide Cioccia
@davide107
david3107
Stefan Petrushevski
@ztefan
theztefan

3. Seattle | September 16-17, 2019
Agenda
• GraphQL basics: Query, Mutation, Subscription
• Security Implications in GraphQL
• Lab1: Introspection
• Lab2: DoS
• Lab3: Mutations
• Lab4: IDOR and Authorization bypass
• Lab5: Injections

4. Seattle | September 16-17, 2019
GraphQL
https://graphql.org/
A query language for your API
GraphQL is a query language for APIs and a runtime for fulfilling those
queries with your existing data. GraphQL provides a complete and
understandable description of the data in your API, gives clients the power
to ask for exactly what they need and nothing more,
makes it easier to evolve APIs over time, and enables powerful
developer tools.

5. Seattle | September 16-17, 2019
GraphQL
Optimizing the data fetching problem by
switching from imperative to declarative
data fetching

6. Seattle | September 16-17, 2019
GraphQL vs REST API

7. Seattle | September 16-17, 2019
GraphQL vs REST API

8. Seattle | September 16-17, 2019
REST API GraphQL
vs

9. Seattle | September 16-17, 2019
Common use-case

10. Seattle | September 16-17, 2019
GraphQL basics

11. Seattle | September 16-17, 2019
Create a schema

12. Seattle | September 16-17, 2019
Define an operation
• Query
• Mutation
• Subscription

13. Seattle | September 16-17, 2019
GraphQL query

14. Seattle | September 16-17, 2019
GraphQL mutation

15. Seattle | September 16-17, 2019
GraphQL subscription

16. Seattle | September 16-17, 2019
LAB: GraphQL basics

17. Seattle | September 16-17, 2019
Repo
git clone https://github.com/david3107/graphql-security-labs
cd lab3-mutation
docker build . -t graphql/mutation && docker run -ti -p 5000:5000
graphql/mutation

18. Seattle | September 16-17, 2019
Security Implications in GraphQL

19. Seattle | September 16-17, 2019
What can go wrong
• Introspection
• DoS
• Injections
• Broken Authorization
• Insecure Direct Object Reference (IDOR)

20. Seattle | September 16-17, 2019
Introspection

21. Seattle | September 16-17, 2019
What’s introspection
• Allows us to ask a GraphQL schema for information about:
• Queries
• Mutations
• Subscriptions
• Types
• Directives

22. Seattle | September 16-17, 2019
What can we ask for
• Querying all available types in a schema
• __type
• __typename
• All available queries
• queryType
• deprecations
• List of enumerator values
• __type(name: "<ENUM TYPE>")
• All types associated with an Interface or Union
• __type(name: "<INTERFACE OR UNION TYPE>")

23. Seattle | September 16-17, 2019
Ask for available types and queries

24. Seattle | September 16-17, 2019
How can we abuse it?
• Information disclosure
• Sensitive information related to the objects
• Retrieve “hidden” queries to bypass controls
• Use it as a steppingstone for further attacks

25. Seattle | September 16-17, 2019
How do we prevent it?
• Disable introspection. D’oh!
• Npm module
• https://www.npmjs.com/package/graphql-disable-introspection
• One Python hack
class NoIntrospection(ValidationRule):
def enter_Field(self, node, key, parent, path, ancestors):
field_name = node.name.value
if field_name == "__schema" or field_name == "__type":
self.context.report_error(
GraphQLError(u"GraphQL introspection is not allowed", [node])
)

26. Seattle | September 16-17, 2019
LAB: Introspection

27. Seattle | September 16-17, 2019
Repo
git clone https://github.com/david3107/graphql-security-labs
cd lab1-info-introspection
docker build . -t graphql/intro && docker run -ti -p 5000:5000
graphql/intro

28. Seattle | September 16-17, 2019
Challenges: DefDev social network

29. Seattle | September 16-17, 2019
Architecture
+ +

30. Seattle | September 16-17, 2019
DoS: Nested queries

31. Seattle | September 16-17, 2019
Nested queries
• Let’s consider the following schema

32. Seattle | September 16-17, 2019
Nested queries

33. Seattle | September 16-17, 2019
Nested queries: complexity calculation
9999 messages x 1 thread
+
9999 messages x 1 thread
+
9999 messages x 1 thread

34. Seattle | September 16-17, 2019
Result

35. Seattle | September 16-17, 2019
How do we prevent it?
• Limit Maximum Query Depth
• Calculate Query Complexity
• Throttling Based on Server Time
• Audit your query before production

36. Seattle | September 16-17, 2019
Limit Maximum Query Depth

37. Seattle | September 16-17, 2019
Limit Maximum Query Depth
• Pros
• Because the AST (Abstract Syntax
Tree) is statically analyzed the
query is never executed
• Cons
• It’s very difficult to cover all the
possible query combinations

38. Seattle | September 16-17, 2019
Calculate Query Complexity
Allow only LOW query complexity. If we set query complexity to 4 this query would fail

39. Seattle | September 16-17, 2019
Calculate Query Complexity
• Pros
• Covers more scenarios
• Do not execute the query
• Cons
• Hard to maintain
• Difficult to calculate
• Mutations can be tricky :/

40. Seattle | September 16-17, 2019
Audit your query before production
• https://www.npmjs.com/package/graphql-validation-complexity
• https://github.com/4Catalyzer/graphql-validation-complexity
• https://github.com/slicknode/graphql-query-complexity

41. Seattle | September 16-17, 2019
LAB: DoS

42. Seattle | September 16-17, 2019
Repo
git clone https://github.com/david3107/graphql-security-labs
cd lab2-dos-resource-exhaustion
docker build . -t graphql/dos && docker run -ti -p 5000:5000
graphql/dos

43. Seattle | September 16-17, 2019
Goal
• Take down that social network

44. Seattle | September 16-17, 2019
Broken Authorization & Insecure
Direct Object Reference (IDOR)

45. Seattle | September 16-17, 2019
Quick recap on IDOR

46. Seattle | September 16-17, 2019
So IDOR is a GraphQL problem
….but wrong implementation of GraphQL filtering functions can lead to
IDOR vulnerabilities.

47. Seattle | September 16-17, 2019
What can go wrong?
• Mutations containing predictable IDs
• Perform action on behalf of other users
• Query to retrieve data about single elements
• Retrieve other users' data

48. Seattle | September 16-17, 2019
How do we discover IDOR? Step 1
• Use introspection to find all the available queries

49. Seattle | September 16-17, 2019
How do we discover IDOR? Step 2
• For each query detect the associated Type
• For each object print out the available Fields

50. Seattle | September 16-17, 2019
How do we discover IDOR? Step 3
• For each object detect predictable element (Int, Enum, etc)

51. Seattle | September 16-17, 2019
How do we discover IDOR? Step 4
• Try different values and see what happens :)

52. Seattle | September 16-17, 2019
LAB: IDOR

53. Seattle | September 16-17, 2019
Repo
git clone https://github.com/david3107/graphql-security-labs
cd lab4-IDOR
docker build . -t graphql/idor && docker run -ti -p 5000:5000
graphql/idor

54. Seattle | September 16-17, 2019
Goal
• Use IDOR vulnerabilities to retrieve other users' private info
• Authenticate as another user

55. Seattle | September 16-17, 2019
Injections

56. Seattle | September 16-17, 2019
Are Injections possible?
• Yes, injections vulnerabilities are present
• Yes, because of bad implementation (bad coding)
• All web vulnerabilities are potentially present in GraphQL

57. Seattle | September 16-17, 2019
How do we prevent Injections (and other)?
• Use secure coding principles and practices

58. Seattle | September 16-17, 2019
LAB: Injections

59. Seattle | September 16-17, 2019
Repo
git clone https://github.com/david3107/graphql-security-labs
cd lab5-injections
docker build . -t graphql/injection && docker run -ti –p
5000:5000 –p 1337:1337 graphql/injection

60. Seattle | September 16-17, 2019
Architecture
+ +

61. Seattle | September 16-17, 2019
Goal
• Use the knowledge from previous labs (hint: introspection)
• There are two different injection vulnerabilities in the lab. Exploit them to:
• Get a remote shell on the machine (use port 1337)
• Get the passwords of all administrator users

62. Seattle | September 16-17, 2019
Thank you!

63. Seattle | September 16-17, 2019
About defdev.eu
• Defensive development – hardening developers
• Hi-end secure development and S/SDLC trainings
• handsons/labs, DIY testing/hacking, exams, certification
• senior security testers and enterprise developers on stage
• from mobile to mainframe
• from C#, JS and Java to Go, Swift and Kotlin
• from practical cybersec to security in CI/CD