4. All rights reserved
Security Chapter
Leader ING BE
● Web application security
● Mobile application security
● Penetration testing
● DevSecOps
● Secure software development trainer
● Co-Founder of DefDev
● Co-Author of OWASP-SKF
5. ■ GraphQL intro: Query, Mutation, Subscription
■ Security Implications in GraphQL
○ Information disclosure via Introspection
○ DoS
○ IDOR and Authorization bypass
○ Injections
■ OWASP-SKF
■ Q&A Hands-on
Agenda
6. GraphQL
https://graphql.org/
A query language for your API
GraphQL is a query language for APIs and a runtime for fulfilling those queries with your existing data.
GraphQL provides a complete and understandable description of the data in your API, gives clients the
power to ask for exactly what they need and nothing more,
makes it easier to evolve APIs over time, and enables powerful developer tools.
17. What’s introspection
■ Allows us to ask a GraphQL schema for information about:
○ Queries
○ Mutations
○ Subscriptions
○ Types
○ Directives
18. What can we ask for
■ Querying all available types in a schema
○ __type
○ __typename
■ All available queries
○ queryType
■ deprecations
■ List of enumerator values
○ __type(name: "<ENUM TYPE>")
■ All types associated with an Interface or Union
○ __type(name: "<INTERFACE OR UNION TYPE>")
20. ■ Information disclosure
○ Sensitive information related to the objects
○ Retrieve hidden queries to bypass controls
○ Use it as a stepping stone for further attacks
How can we abuse it?
33. Limit Maximum Query Depth
•Pros
•Because the AST (Abstract Syntax
Tree) is statically analyzed the
query is never executed
•Cons
•It’s very difficult to cover all the
possible query combinations
36. Audit your query before production
■ https://www.npmjs.com/package/graphql-validation-complexity
■ https://github.com/4Catalyzer/graphql-validation-complexity
■ https://github.com/slicknode/graphql-query-complexity
39. ….but wrong implementation of GraphQL filtering functions can lead to IDOR
vulnerabilities.
So IDOR is a GraphQL problem
40. IDOR in GraphQL implementations
■ Mutations containing predictable IDs
○ Perform action in behalf of other users
■ Query to retrieve data about single elements
○ Retrieve other users data
41. ■ Use introspection to find all the available Types
How do we discover IDOR? Step 1
42. ■ For each query detect the associated Type
■ For each object print out the available Fields
How do we discover IDOR? Step 2
43. ■ For each object detect predictable element (Int, Enum, etc)
How do we discover IDOR? Step 3
44. ■ Try different values and see what happens :)
How do we discover IDOR? Step 4
45. ■ Use IDOR vulnerabilities to retrieve other users private info
■ Authenticate as another user
Goal
57. OWASP - SKF
• Guide to secure programming
By adapting your design to security, not securing your design
• Security awareness
It informs you about threats even before you wrote a single line of code.
• Clear and transparent
Provides information applicable for your specific needs on the spot.