The video of the presentation can be found here: https://www.youtube.com/watch?v=23ZYk-ba36k

1. Avoiding GraphQL insecurities with OWASP SKF

2. $id(s)
Davide Cioccia
@davide107
david3107
● Security engineer @ ING Bank
● Secure software development trainer
● Co-Founder of DCODX.com
● Occasional bug hunter
● Conference speaker and trainer

3. All rights reserved
Unreal Tournament 1991

4. All rights reserved
Security Chapter
Leader ING BE
● Web application security
● Mobile application security
● Penetration testing
● DevSecOps
● Secure software development trainer
● Co-Founder of DefDev
● Co-Author of OWASP-SKF

5. ■ GraphQL intro: Query, Mutation, Subscription
■ Security Implications in GraphQL
○ Information disclosure via Introspection
○ DoS
○ IDOR and Authorization bypass
○ Injections
■ OWASP-SKF
■ Q&A Hands-on
Agenda

6. GraphQL
https://graphql.org/
A query language for your API
GraphQL is a query language for APIs and a runtime for fulfilling those queries with your existing data.
GraphQL provides a complete and understandable description of the data in your API, gives clients the
power to ask for exactly what they need and nothing more,
makes it easier to evolve APIs over time, and enables powerful developer tools.

7. GraphQL vs REST
*https://www.howtographql.com/

8. GraphQL vs REST
*https://www.howtographql.com/

9. Key Concepts
■ Schema
■ Query
■ Mutation
■ Subscription

10. Create a schema

11. GraphQL query

12. GraphQL mutation

13. GraphQL subscription

14. Security Implications in GraphQL
Security Implications in GraphQL

15. What can go wrong
■ Information disclosure via Introspection
■ DoS
■ Authorization bypass
■ IDOR
■ Injections

16. Introspection

17. What’s introspection
■ Allows us to ask a GraphQL schema for information about:
○ Queries
○ Mutations
○ Subscriptions
○ Types
○ Directives

18. What can we ask for
■ Querying all available types in a schema
○ __type
○ __typename
■ All available queries
○ queryType
■ deprecations
■ List of enumerator values
○ __type(name: "<ENUM TYPE>")
■ All types associated with an Interface or Union
○ __type(name: "<INTERFACE OR UNION TYPE>")

19. Ask for available types and queries

20. ■ Information disclosure
○ Sensitive information related to the objects
○ Retrieve hidden queries to bypass controls
○ Use it as a stepping stone for further attacks
How can we abuse it?

21. Introspection simplified: GraphQL Voyager
https://apis.guru/graphql-voyager/

22. Burp Extension: InQL from Doyensec
https://github.com/doyensec/inql

23. Challenge: DefDev social network

24. Architecture
+ +

25. DEMO

26. Nested queries: DoS

27. ■ Let’s consider the following schema
Nested queries

28. Nested queries

29. Nested queries: complexity calculation
99999 messages x 1 thread
+
99999 messages x 1 thread
+
99999 messages x 1 thread

30. Results

31. How do we prevent it
■ Avoid Recursive Nested Queries
■ Limit Maximum Query Depth
■ Calculate Query Complexity
■ Audit your query before Release

32. Limit Maximum Query Depth

33. Limit Maximum Query Depth
•Pros
•Because the AST (Abstract Syntax
Tree) is statically analyzed the
query is never executed
•Cons
•It’s very difficult to cover all the
possible query combinations

34. Calculate Query Complexity
Allow only LOW query complexity. If we set query complexity to 4 this query would fail

35. Calculate Query Complexity
•Pros
•Covers more scenarios
•Do not execute the query
•Cons
•Hard to maintain
•Difficult to calculate
•Mutations can be tricky :/

36. Audit your query before production
■ https://www.npmjs.com/package/graphql-validation-complexity
■ https://github.com/4Catalyzer/graphql-validation-complexity
■ https://github.com/slicknode/graphql-query-complexity

37. IDOR

38. Quick recap on IDOR

39. ….but wrong implementation of GraphQL filtering functions can lead to IDOR
vulnerabilities.
So IDOR is a GraphQL problem

40. IDOR in GraphQL implementations
■ Mutations containing predictable IDs
○ Perform action in behalf of other users
■ Query to retrieve data about single elements
○ Retrieve other users data

41. ■ Use introspection to find all the available Types
How do we discover IDOR? Step 1

42. ■ For each query detect the associated Type
■ For each object print out the available Fields
How do we discover IDOR? Step 2

43. ■ For each object detect predictable element (Int, Enum, etc)
How do we discover IDOR? Step 3

44. ■ Try different values and see what happens :)
How do we discover IDOR? Step 4

45. ■ Use IDOR vulnerabilities to retrieve other users private info
■ Authenticate as another user
Goal

46. Injections

47. ■ Injections are not a GraphQL intrinsic problem
■ Multiple types
○ NoSQL injections
○ Command Injections
○ SQL injection
○ more
Why Injections

48. ■ Scalar Types
○ simple primitives: String, Int, Float, or Boolean
○ Sometimes not enough
○ We can create custom ones (ex. Date)*
■ Custom Scalar Types
○ Powerful extension for complex data structures
○ JSON objects
Exploiting Custom Scalar types
*https://www.npmjs.com/package/graphql-iso-date

49. What can go wrong
JSON object JSON object

50. GraphQL query
type Query { users(search: JSON!): [User] }
{ Query:
{ users: (_root, { search }, _context) =>
{ return Users.find(search, { fields:
{
username: 1,
fullname: 1,
email: 1
}
});
}
}
}

51. Malicious query
{
users(search: "{"email": {"$gte": ""}}",
options: "{"skip": 0, "limit": 10}")
{
_id
username
fullname
email
}
}
… returns all Users in the collection

52. {
users(search: "{"email": {"$gte": ""}}",
options: "{"fields": {}}")
{
_id
username
fullname
email
}
}

53. OWASP SKF: Let’s avoid these issues

54. Developers, you are the one!

55. sdfds
Barely hanging on...

56. sdfds
There are always options

57. OWASP - SKF
• Guide to secure programming
By adapting your design to security, not securing your design
• Security awareness
It informs you about threats even before you wrote a single line of code.
• Clear and transparent
Provides information applicable for your specific needs on the spot.

58. Setting up the right security requirements

59. OWASP - (m)ASVS checklists

60. ASVS level examples

61. SKF - mASVS

62. SKF - ASVS

63. SKF - Threats visible upfront

64. SKF - take responsibility

65. SKF - Demo

68. You have the skills

69. ■ Labs time ☺
■ Use the knowledge from the demo ( introspection)
■ Follow the writeups
○ write-ups: Introduction
More ?

70. Repo
https://github.com/blabla1337/skf-labs
- graphql-IDOR
- graphql-dos-resource-exhaustion
- graphql-info-introspection
- graphql-injections
- graphql-mutation
https://owasp-skf.gitbook.io/asvs-write-ups/kbid-285-graphql-introspection