graphql applications security testing …• graphql clients (like altair) – editor, run query •...

GRAPHQL APPLICATIONS SECURITY TESTING AUTOMATIZATION

Pavel Sorokin

whoami

• Pavel Sorokin• Senior Penetration Tester @ bi.zone

2

GRAPHQLBrief - WTF?

3

GraphQLBrief - WTF?

• Query language for API• Provide ability to get what you exactly need by 1 query• 3 query concept:

• query for data retrieve• mutation for modifications• subscription for events

• RTFM: https://www.howtographql.com/

4

GraphQLBrief - WTF?

5

Request Response

GraphQLBrief - WTF?

• Schema (type definitions, etc.) defined in SDL format

6

…type User {id: IDposts(id: ID): Postname: String

}

type Post {id: IDcomments: [Comment]author: User

}

type Comment {id: IDtext: Stringcommentator: User

}…

GraphQLBrief - WTF?

• Why Graph?

7

User Post Commentposts comments

author

commentator

GraphQLBrief - WTF?

• Schema could be obtained by introspection query

8

query IntrospectionQuery {__schema {

queryType { name }mutationType { name }subscriptionType { name }types {

...FullType}directives {

namedescriptionlocations

…

GraphQLBrief - WTF?

Raw request

9

GraphQLBrief - WTF?

2 ways to send parameters

10

GraphQLTools

• GraphQL clients (like Altair) – editor, run query• GraphQL Raider Burp plugin – insertion point, editor, run query• GraphQL voyager – schema visualization

11

GRAPHQLAutomate

12

What do we want?

• Use Burp• Find all possible queries• Check for access control• Scan all parameters• Test for DoS loops• Find alternative paths to critical data

13

What do we want?

• Use Burp• Find all possible queries• Check for access control• Scan all parameters• Test for DoS loops• Find alternative paths to critical data

14

Find all possible queries

• There is extremely large amount of possible queries

• What about all queries with depth=1?

• It’s impossible to get ”elementary” queries from schema

15

Query {admin: AdminQueriesuser: UserQueries

}

AdminQueries{getUsers: ...getSystemInfo: ...

}

UserQueries{userInfo: UserInfoposts: Post

}

Find all possible queries

Hack - let’s assume that ”elementary” query if:• It has parametersOR• It has ”id” field

16

Find all possible queries

17

What do we want?

• Use Burp• Find all possible queries• Check for access control• Scan all parameters• Test for DoS loops• Find alternative paths to critical data

18

Access control

19

Query {admin: AdminQueriesuser: UserQueries

}

AdminQueries{getUsers: ...getSystemInfo: ...

}

UserQueries{userInfo: UserInfoposts: Post

}

Role-based access control

We can use Burp plugins for access control checks:• AuthMatrix• Autorize• AutoRepeater

Access Control

What about variables?

Variables could be checked for correct format before passing to handlers

Try all known correct formats for variable types:id: 123 or id: ”5ed496cc-c971-11dc-93cd-15767af24309”

* Number of queries could grow exponentially20

• Use Burp• Find all possible queries• Check for access control• Scan all parameters• Test for DoS loops• Find alternative paths to critical data

What do we want?

21

Scan all parameters

• Find all types with args in schema

• Make query for each (use variables parameter style)

• Start Burp Scanner (burp understand json queries)

* You need all parameters to be correct

22

• Use Burp• Find all possible queries• Check for access control• Scan all parameters• Test for DoS loops• Find alternative paths to critical data

What do we want?

23

DOS loops

24

• Loops on graph

User Post Commentposts comments

author

commentator

DOS loops

query {User(id=”123”){

posts{comments{commentator{

posts{comments{commentator{...}

}…

25

DOS loops

26

DOS loops

• Large amount of loops exists

• Only loops with ”[Type]” (LIST) on edges are interesting

• Generally you don’t need to test all loops

* You still need correct parameters

27

DOS loops

• Load schema as graph• Find n loops with LIST on any edge• Issue loop queries with given depth

• Overview on howtographql: https://www.howtographql.com/advanced/4-security/

28

• Use Burp• Find all possible queries• Check for access control• Scan all parameters• Test for DoS loops• Find alternative paths to critical data

What do we want?

29

Alternative paths

Edge-based access control

30

User Post Commentposts comments

author

commentator

• Load schema as graph• Find all paths to type with critical parameter• Issue queries or show to analyst

Alternative paths

31

GRAPHQL

https://github.com/sorokinpf/graphqler

32

TODO

• Fill param values with known good values from history• Deal with typical GraphQL params like ”first”, ”last” etc.

33

THANKS FOR ATTENTION

Fill free to contact me

E-mail: sorokinpf@gmail.comTelegram: @sorokinpf

34