graphql applications security testing …• graphql clients (like altair) – editor, run query •...
TRANSCRIPT
GRAPHQL APPLICATIONS SECURITY TESTING AUTOMATIZATION
Pavel Sorokin
whoami
• Pavel Sorokin• Senior Penetration Tester @ bi.zone
2
GRAPHQLBrief - WTF?
3
GraphQLBrief - WTF?
• Query language for API• Provide ability to get what you exactly need by 1 query• 3 query concept:
• query for data retrieve• mutation for modifications• subscription for events
• RTFM: https://www.howtographql.com/
4
GraphQLBrief - WTF?
5
Request Response
GraphQLBrief - WTF?
• Schema (type definitions, etc.) defined in SDL format
6
…type User {id: IDposts(id: ID): Postname: String
}
type Post {id: IDcomments: [Comment]author: User
}
type Comment {id: IDtext: Stringcommentator: User
}…
GraphQLBrief - WTF?
• Why Graph?
7
User Post Commentposts comments
author
commentator
GraphQLBrief - WTF?
• Schema could be obtained by introspection query
8
query IntrospectionQuery {__schema {
queryType { name }mutationType { name }subscriptionType { name }types {
...FullType}directives {
namedescriptionlocations
…
GraphQLBrief - WTF?
Raw request
9
GraphQLBrief - WTF?
2 ways to send parameters
10
GraphQLTools
• GraphQL clients (like Altair) – editor, run query• GraphQL Raider Burp plugin – insertion point, editor, run query• GraphQL voyager – schema visualization
11
GRAPHQLAutomate
12
What do we want?
• Use Burp• Find all possible queries• Check for access control• Scan all parameters• Test for DoS loops• Find alternative paths to critical data
13
What do we want?
• Use Burp• Find all possible queries• Check for access control• Scan all parameters• Test for DoS loops• Find alternative paths to critical data
14
Find all possible queries
• There is extremely large amount of possible queries
• What about all queries with depth=1?
• It’s impossible to get ”elementary” queries from schema
15
Query {admin: AdminQueriesuser: UserQueries
}
AdminQueries{getUsers: ...getSystemInfo: ...
}
UserQueries{userInfo: UserInfoposts: Post
}
Find all possible queries
Hack - let’s assume that ”elementary” query if:• It has parametersOR• It has ”id” field
16
Find all possible queries
17
What do we want?
• Use Burp• Find all possible queries• Check for access control• Scan all parameters• Test for DoS loops• Find alternative paths to critical data
18
Access control
19
Query {admin: AdminQueriesuser: UserQueries
}
AdminQueries{getUsers: ...getSystemInfo: ...
}
UserQueries{userInfo: UserInfoposts: Post
}
Role-based access control
We can use Burp plugins for access control checks:• AuthMatrix• Autorize• AutoRepeater
Access Control
What about variables?
Variables could be checked for correct format before passing to handlers
Try all known correct formats for variable types:id: 123 or id: ”5ed496cc-c971-11dc-93cd-15767af24309”
* Number of queries could grow exponentially20
• Use Burp• Find all possible queries• Check for access control• Scan all parameters• Test for DoS loops• Find alternative paths to critical data
What do we want?
21
Scan all parameters
• Find all types with args in schema
• Make query for each (use variables parameter style)
• Start Burp Scanner (burp understand json queries)
* You need all parameters to be correct
22
• Use Burp• Find all possible queries• Check for access control• Scan all parameters• Test for DoS loops• Find alternative paths to critical data
What do we want?
23
DOS loops
24
• Loops on graph
User Post Commentposts comments
author
commentator
DOS loops
query {User(id=”123”){
posts{comments{commentator{
posts{comments{commentator{...}
}…
25
DOS loops
26
DOS loops
• Large amount of loops exists
• Only loops with ”[Type]” (LIST) on edges are interesting
• Generally you don’t need to test all loops
* You still need correct parameters
27
DOS loops
• Load schema as graph• Find n loops with LIST on any edge• Issue loop queries with given depth
• Overview on howtographql: https://www.howtographql.com/advanced/4-security/
28
• Use Burp• Find all possible queries• Check for access control• Scan all parameters• Test for DoS loops• Find alternative paths to critical data
What do we want?
29
Alternative paths
Edge-based access control
30
User Post Commentposts comments
author
commentator
• Load schema as graph• Find all paths to type with critical parameter• Issue queries or show to analyst
Alternative paths
31
GRAPHQL
https://github.com/sorokinpf/graphqler
32
TODO
• Fill param values with known good values from history• Deal with typical GraphQL params like ”first”, ”last” etc.
33