graphql applications security testing …• graphql clients (like altair) – editor, run query •...

34
GRAPHQL APPLICATIONS SECURITY TESTING AUTOMATIZATION Pavel Sorokin

Upload: others

Post on 23-May-2020

8 views

Category:

Documents


0 download

TRANSCRIPT

Page 1: GRAPHQL APPLICATIONS SECURITY TESTING …• GraphQL clients (like Altair) – editor, run query • GraphQL Raider Burp plugin – insertion point, editor, run query • GraphQL voyager

GRAPHQL APPLICATIONS SECURITY TESTING AUTOMATIZATION

Pavel Sorokin

Page 2: GRAPHQL APPLICATIONS SECURITY TESTING …• GraphQL clients (like Altair) – editor, run query • GraphQL Raider Burp plugin – insertion point, editor, run query • GraphQL voyager

whoami

• Pavel Sorokin• Senior Penetration Tester @ bi.zone

2

Page 3: GRAPHQL APPLICATIONS SECURITY TESTING …• GraphQL clients (like Altair) – editor, run query • GraphQL Raider Burp plugin – insertion point, editor, run query • GraphQL voyager

GRAPHQLBrief - WTF?

3

Page 4: GRAPHQL APPLICATIONS SECURITY TESTING …• GraphQL clients (like Altair) – editor, run query • GraphQL Raider Burp plugin – insertion point, editor, run query • GraphQL voyager

GraphQLBrief - WTF?

• Query language for API• Provide ability to get what you exactly need by 1 query• 3 query concept:

• query for data retrieve• mutation for modifications• subscription for events

• RTFM: https://www.howtographql.com/

4

Page 5: GRAPHQL APPLICATIONS SECURITY TESTING …• GraphQL clients (like Altair) – editor, run query • GraphQL Raider Burp plugin – insertion point, editor, run query • GraphQL voyager

GraphQLBrief - WTF?

5

Request Response

Page 6: GRAPHQL APPLICATIONS SECURITY TESTING …• GraphQL clients (like Altair) – editor, run query • GraphQL Raider Burp plugin – insertion point, editor, run query • GraphQL voyager

GraphQLBrief - WTF?

• Schema (type definitions, etc.) defined in SDL format

6

…type User {id: IDposts(id: ID): Postname: String

}

type Post {id: IDcomments: [Comment]author: User

}

type Comment {id: IDtext: Stringcommentator: User

}…

Page 7: GRAPHQL APPLICATIONS SECURITY TESTING …• GraphQL clients (like Altair) – editor, run query • GraphQL Raider Burp plugin – insertion point, editor, run query • GraphQL voyager

GraphQLBrief - WTF?

• Why Graph?

7

User Post Commentposts comments

author

commentator

Page 8: GRAPHQL APPLICATIONS SECURITY TESTING …• GraphQL clients (like Altair) – editor, run query • GraphQL Raider Burp plugin – insertion point, editor, run query • GraphQL voyager

GraphQLBrief - WTF?

• Schema could be obtained by introspection query

8

query IntrospectionQuery {__schema {

queryType { name }mutationType { name }subscriptionType { name }types {

...FullType}directives {

namedescriptionlocations

Page 9: GRAPHQL APPLICATIONS SECURITY TESTING …• GraphQL clients (like Altair) – editor, run query • GraphQL Raider Burp plugin – insertion point, editor, run query • GraphQL voyager

GraphQLBrief - WTF?

Raw request

9

Page 10: GRAPHQL APPLICATIONS SECURITY TESTING …• GraphQL clients (like Altair) – editor, run query • GraphQL Raider Burp plugin – insertion point, editor, run query • GraphQL voyager

GraphQLBrief - WTF?

2 ways to send parameters

10

Page 11: GRAPHQL APPLICATIONS SECURITY TESTING …• GraphQL clients (like Altair) – editor, run query • GraphQL Raider Burp plugin – insertion point, editor, run query • GraphQL voyager

GraphQLTools

• GraphQL clients (like Altair) – editor, run query• GraphQL Raider Burp plugin – insertion point, editor, run query• GraphQL voyager – schema visualization

11

Page 12: GRAPHQL APPLICATIONS SECURITY TESTING …• GraphQL clients (like Altair) – editor, run query • GraphQL Raider Burp plugin – insertion point, editor, run query • GraphQL voyager

GRAPHQLAutomate

12

Page 13: GRAPHQL APPLICATIONS SECURITY TESTING …• GraphQL clients (like Altair) – editor, run query • GraphQL Raider Burp plugin – insertion point, editor, run query • GraphQL voyager

What do we want?

• Use Burp• Find all possible queries• Check for access control• Scan all parameters• Test for DoS loops• Find alternative paths to critical data

13

Page 14: GRAPHQL APPLICATIONS SECURITY TESTING …• GraphQL clients (like Altair) – editor, run query • GraphQL Raider Burp plugin – insertion point, editor, run query • GraphQL voyager

What do we want?

• Use Burp• Find all possible queries• Check for access control• Scan all parameters• Test for DoS loops• Find alternative paths to critical data

14

Page 15: GRAPHQL APPLICATIONS SECURITY TESTING …• GraphQL clients (like Altair) – editor, run query • GraphQL Raider Burp plugin – insertion point, editor, run query • GraphQL voyager

Find all possible queries

• There is extremely large amount of possible queries

• What about all queries with depth=1?

• It’s impossible to get ”elementary” queries from schema

15

Query {admin: AdminQueriesuser: UserQueries

}

AdminQueries{getUsers: ...getSystemInfo: ...

}

UserQueries{userInfo: UserInfoposts: Post

}

Page 16: GRAPHQL APPLICATIONS SECURITY TESTING …• GraphQL clients (like Altair) – editor, run query • GraphQL Raider Burp plugin – insertion point, editor, run query • GraphQL voyager

Find all possible queries

Hack - let’s assume that ”elementary” query if:• It has parametersOR• It has ”id” field

16

Page 17: GRAPHQL APPLICATIONS SECURITY TESTING …• GraphQL clients (like Altair) – editor, run query • GraphQL Raider Burp plugin – insertion point, editor, run query • GraphQL voyager

Find all possible queries

17

Page 18: GRAPHQL APPLICATIONS SECURITY TESTING …• GraphQL clients (like Altair) – editor, run query • GraphQL Raider Burp plugin – insertion point, editor, run query • GraphQL voyager

What do we want?

• Use Burp• Find all possible queries• Check for access control• Scan all parameters• Test for DoS loops• Find alternative paths to critical data

18

Page 19: GRAPHQL APPLICATIONS SECURITY TESTING …• GraphQL clients (like Altair) – editor, run query • GraphQL Raider Burp plugin – insertion point, editor, run query • GraphQL voyager

Access control

19

Query {admin: AdminQueriesuser: UserQueries

}

AdminQueries{getUsers: ...getSystemInfo: ...

}

UserQueries{userInfo: UserInfoposts: Post

}

Role-based access control

We can use Burp plugins for access control checks:• AuthMatrix• Autorize• AutoRepeater

Page 20: GRAPHQL APPLICATIONS SECURITY TESTING …• GraphQL clients (like Altair) – editor, run query • GraphQL Raider Burp plugin – insertion point, editor, run query • GraphQL voyager

Access Control

What about variables?

Variables could be checked for correct format before passing to handlers

Try all known correct formats for variable types:id: 123 or id: ”5ed496cc-c971-11dc-93cd-15767af24309”

* Number of queries could grow exponentially20

Page 21: GRAPHQL APPLICATIONS SECURITY TESTING …• GraphQL clients (like Altair) – editor, run query • GraphQL Raider Burp plugin – insertion point, editor, run query • GraphQL voyager

• Use Burp• Find all possible queries• Check for access control• Scan all parameters• Test for DoS loops• Find alternative paths to critical data

What do we want?

21

Page 22: GRAPHQL APPLICATIONS SECURITY TESTING …• GraphQL clients (like Altair) – editor, run query • GraphQL Raider Burp plugin – insertion point, editor, run query • GraphQL voyager

Scan all parameters

• Find all types with args in schema

• Make query for each (use variables parameter style)

• Start Burp Scanner (burp understand json queries)

* You need all parameters to be correct

22

Page 23: GRAPHQL APPLICATIONS SECURITY TESTING …• GraphQL clients (like Altair) – editor, run query • GraphQL Raider Burp plugin – insertion point, editor, run query • GraphQL voyager

• Use Burp• Find all possible queries• Check for access control• Scan all parameters• Test for DoS loops• Find alternative paths to critical data

What do we want?

23

Page 24: GRAPHQL APPLICATIONS SECURITY TESTING …• GraphQL clients (like Altair) – editor, run query • GraphQL Raider Burp plugin – insertion point, editor, run query • GraphQL voyager

DOS loops

24

• Loops on graph

User Post Commentposts comments

author

commentator

Page 25: GRAPHQL APPLICATIONS SECURITY TESTING …• GraphQL clients (like Altair) – editor, run query • GraphQL Raider Burp plugin – insertion point, editor, run query • GraphQL voyager

DOS loops

query {User(id=”123”){

posts{comments{commentator{

posts{comments{commentator{...}

}…

25

Page 26: GRAPHQL APPLICATIONS SECURITY TESTING …• GraphQL clients (like Altair) – editor, run query • GraphQL Raider Burp plugin – insertion point, editor, run query • GraphQL voyager

DOS loops

26

Page 27: GRAPHQL APPLICATIONS SECURITY TESTING …• GraphQL clients (like Altair) – editor, run query • GraphQL Raider Burp plugin – insertion point, editor, run query • GraphQL voyager

DOS loops

• Large amount of loops exists

• Only loops with ”[Type]” (LIST) on edges are interesting

• Generally you don’t need to test all loops

* You still need correct parameters

27

Page 28: GRAPHQL APPLICATIONS SECURITY TESTING …• GraphQL clients (like Altair) – editor, run query • GraphQL Raider Burp plugin – insertion point, editor, run query • GraphQL voyager

DOS loops

• Load schema as graph• Find n loops with LIST on any edge• Issue loop queries with given depth

• Overview on howtographql: https://www.howtographql.com/advanced/4-security/

28

Page 29: GRAPHQL APPLICATIONS SECURITY TESTING …• GraphQL clients (like Altair) – editor, run query • GraphQL Raider Burp plugin – insertion point, editor, run query • GraphQL voyager

• Use Burp• Find all possible queries• Check for access control• Scan all parameters• Test for DoS loops• Find alternative paths to critical data

What do we want?

29

Page 30: GRAPHQL APPLICATIONS SECURITY TESTING …• GraphQL clients (like Altair) – editor, run query • GraphQL Raider Burp plugin – insertion point, editor, run query • GraphQL voyager

Alternative paths

Edge-based access control

30

User Post Commentposts comments

author

commentator

Page 31: GRAPHQL APPLICATIONS SECURITY TESTING …• GraphQL clients (like Altair) – editor, run query • GraphQL Raider Burp plugin – insertion point, editor, run query • GraphQL voyager

• Load schema as graph• Find all paths to type with critical parameter• Issue queries or show to analyst

Alternative paths

31

Page 32: GRAPHQL APPLICATIONS SECURITY TESTING …• GraphQL clients (like Altair) – editor, run query • GraphQL Raider Burp plugin – insertion point, editor, run query • GraphQL voyager

GRAPHQL

https://github.com/sorokinpf/graphqler

32

Page 33: GRAPHQL APPLICATIONS SECURITY TESTING …• GraphQL clients (like Altair) – editor, run query • GraphQL Raider Burp plugin – insertion point, editor, run query • GraphQL voyager

TODO

• Fill param values with known good values from history• Deal with typical GraphQL params like ”first”, ”last” etc.

33

Page 34: GRAPHQL APPLICATIONS SECURITY TESTING …• GraphQL clients (like Altair) – editor, run query • GraphQL Raider Burp plugin – insertion point, editor, run query • GraphQL voyager

THANKS FOR ATTENTION

Fill free to contact me

E-mail: [email protected]: @sorokinpf

34