GraphQL Security for Beginners

The Cyber Mentor · Beginner ·🔐 Cybersecurity ·1y ago

Key Takeaways

This video covers GraphQL security for beginners, including a primer on how GraphQL differs from traditional REST APIs, key features attackers can exploit, and security risks of GraphQL introspection. Tools and techniques demonstrated include GraphQL queries and introspection.

Full Transcript

graphql has been around for a while now and represents a paradigm shift in API development it serves as both a query language and a runtime environment for executing queries so today we'll go through a brief primer on what graphql is and then look at some of the features we can abuse to glean information and steal sensitive data if you enjoy the video then don't forget to like And subscribe and let's dive in all right so most of you watching probably have a good grasp of rest but maybe you haven't had the chance to experiment with graphql yet so before we dive into the lab let's do a quick comparison in a rest architecture you typically have multiple endpoints each designed to return a specific data set or to carry out some kind of operation for example you might have/ API users uh for user data and then API posts and this returns all of the posts that are in the database and if you need data from both you'd basically have to make two requests now graphql uses a single endpoint where clients can request complex data in a single query and this is achieved through its type system and query language so if we consider a social media application so with rest fetching a user profile and all of the posts and maybe the number of followers or a list of followers might require a number of API calls um probably three or more now with graphql you can get all of this data in one request and also avoid over fetching so it's not going to give you loads of Access Data as well so what we do is we specify exactly the fields that we need from each object and while this flexibility is powerful it does have some security considerations for example we need to carefully consider the query complexity to avoid denial of service and we also need to implement proper field level authorization to avoid things like unauthorized access to information or information disclosure vulnerabilities and this process of validating queries and making sure that clients have access to the right data can be more complicated when we introduce nested queries as well rather than just a single endpoint that returns a set of data when we can decide hey the client has access or the client doesn't have access set a new standard in your professional Journey with TCM security certifications and dive deep into advanced cyber security tactics with our comprehensive courses our challenging exams are designed to test your skills to the fullest preparing you for real world cyber security roles explore certifications dotcms sec.com and redefine your professional potential so so let's take a quick look at this lab and all we have is a couple of users and a couple of posts and you can see here we have the type definitions and these types are basically like objects so we have a a user type and it has all of the information and then we have a post type and it has information and we have a query type as well and then we have resolvers so here are kind of top level resolvers so if we query users it's going to return all users if we query a user it's going to run this function and grab the user ID and return that information as well and then when we come on to nested queries or if we're trying to grab posts and followers and things like this then this is going to resolve that as well all right so let's run lab with node app.js and then all we're going to do is come to Here Local Host 4,000 and here we have the Apollo sandbox so we're just going to come into query our server so that we can interact with our application without needing a front end and here this example query is probably going to give us an error so if we just run this you can see that obviously example query doesn't EX exist all right so here what we want is we want to query the user and we're going to pass in an ID so we go user ID and we're going to pass in one and then here we're just going to pass in the name so hopefully it Returns the name of the first user and this query kind of fetches only basic information but is a good starting point and it's basically equivalent to the rest API end points so something like SL API SL users SL1 and in the same query if we wanted to grab the posts of that user we could do something like we can grab that name and then we can say hey posts like this and in here we can get the title of our posts and here you can see that Jeremy has two posts one called my first post and the second one called introspection is the direction and of course we can include other fields in here too so for example if we wanted the content of a post depending on where we are in the application we might only want to grab the title so that we can list the posts because the content might be really long and this would result in a large response in this case our content is quite short but of course we can optionally include the content as and when we need and this really demonstrates graphql ability to let the client Define exactly what is needed in the resp response and avoids over fetching and under fetching so over fetching being fetching too much data and under fetching being not ref fetching enough data and resulting in multiple queries and in this case we don't need to send multiple requests we just have one query and it gives us exactly what we need and of course we could do other things so for example we could nest in here followers and let's say we want the name of all the followers of Jeremy so this was like a profile for Jeremy we have his name we can highlight the posts that Jeremy has on cards and we could list the followers below as well so there's of course a lot more to graphql than this and we haven't touched on things like mutations where we can update data and subscriptions but for part one I think this is enough to get us going and if you want more detail then let me know in the comments below and I'll make a graphql part to and of course I have a graphql module in my Advanced web hacking course so you can check that out as well just remember that with graphql the client Define defines exactly what data they want at each level everything comes from a single request so send one query instead of multiple requests like we do in rest and the API has a lot of flexibility so it doesn't need to change to support new client requirements with this structure different clients can query different information as needed so let's move on to introspection next so now let's talk about graphql introspection which is a powerful feature that lets clients query the graphql API to better understand its schema and introspection queries retrieve details about types and Fields and operations and documentation and this capability is one of the reasons why graphql is so flexible and kind of like developer friendly I suppose and it's worth noting that often introspection is enabled by by default and often considered a feature rather than a security risk and obviously if you have feelings about whether introspection should be enabled or disabled on production systems I think it should be disabled then let me know down in the comments below but the main argument for it is that disabling introspection is is kind of security through obscurity because it's only giving you information about the schema but in a perfect world systems would be secure and then it wouldn't matter but obviously no system is perfect and no implementation is perfect either so disabling it is going to make our job as attackers a little bit harder because we're going to have to dig or we're not going to have access to information that would help us exploit the Target anyway let's take a look at how we can use introspection in burp Suite so here what I have is a post and you can see that we're posting to just slash but of course often you'll see SLG graphql or slv1 graphql or something like this but usually it's quite easy to identify the graphql endpoint and if you have the in graphql plug-in installed you can see the query here in a slightly nicer format but BB Suite does have an automatic detection for this as well but I find that more often than not this is a little bit malformed on the spacing is off and things like that so generally I just look at the nql one but either way we come over to repeater and we can use either of these and just send and then you can see that we get the same data back that we did before so we have the Jeremy and his posts and the followers as well so to do introspection all we need to do is right click come to graphql and set introspection query and there are a number of different queries that we can use for introspection some of them grabbing more information than others and maybe on some targets there's some filtering so introspection might be enabled but somewhat filtered and we might not be able to use the schema keyword for example and we'll have to do something else but that's a topic for another video and once we hit send we get all of the information back about our Target and this is kind of complicated in terms of like we don't want to have to sit and pick this apart so there's a couple of things that we can do here first we can right click and go to graphql and save graphql queries to the sitemap and then we can just come over to the targets come to Local Host here and here we can see all of the queries so we can use these as a base for our attack second what I like to do is come to here and grab the query copy it come over to CH Chrome and then graphql Voyager and if we come to graphql kit.com graphql Voyager hit change schema come to introspection paste the results in we can see our schema in in a visual way and if I move my face out of the way we can see our top level queries so when we query user we can see our user type which is basically a user object the information in here and then also we can see posts and how they're linked together as well and when we're looking at denial of service and things we want to look for we want to look for recursion so if we query users we can then grab the posts and then from here we can grab the user again and we can maybe cause denal a service with nested queries but what we're actually looking at today is for information disclosure so here I can see a couple of sensitive fields that we might not want anybody to be able to access and of course the email field could leak users emails and the password field could leak users passwords so let's see whether we can go ahead and do this and find a information disclosure vulnerability and what I'm going to do is I'm going to go back to my original query here and in the user all I'm going to do is let's say let's change this to user 2 for example here we have Jessie and we're not actually logged in as anybody at the moment because it's a very simple application there's no real authentication but here I'm just going to add email and password so when we're querying this user we get this information back and this is is a common issue with graphql in that we get information disclosure issues and of course if I come back and switch this user to user ID 1 here we can get Jeremy's password and email as well I would say more often than not you're going to find things like email addresses um personally identifiable information pii but occasionally you'll find things like passwords as well depending on the application obviously you're going to Target different things you might find API Keys you might find hidden posts you might get access to messages that you shouldn't have access to and so yeah this is one of the common weaknesses with graphql and something that you definitely have to test for this example was fairly straightforward because introspection was enabled we can easily see the schema we can see all of the relationships between the types or objects but there are other ways to glean information for example when introspection is disabled we might use field stuffing or other techniques to get information and continue attacking our Target but again those are topics for another video and that's it for this video I hope you enjoyed the topic and learned something new and if you want to go deeper into graphql then I recommend picking up the book black hats graphql it's an excellent book or if you prefer video then you can check out the advanced web hacking course over on TCM Academy catch you next time

Original Description

Want to try a GraphQL security challenge for yourself? Alex's Advanced Web Hacking course has a module dedicated to GraphQL. Try it for yourself here: https://www.tcm.rocks/awh-yt Sponsor a Video: https://www.tcm.rocks/Sponsors Pentests & Security Consulting: https://tcm-sec.com Get Trained: https://academy.tcm-sec.com Get Certified: https://certifications.tcm-sec.com Merch: https://merch.tcm-sec.com GraphQL has revolutionized the way APIs are built, offering unparalleled flexibility with single-endpoint queries. But with this power comes potential risk! In this video, Alex dives deep into the world of GraphQL security, covering: - A primer on how GraphQL differs from traditional REST APIs - Key features attackers can exploit to extract sensitive data - Crafting complex queries that can lead to over-fetching information - The security risks of GraphQL introspection and why it's crucial to secure it Whether you're a developer looking to build secure GraphQL APIs or a pentester exploring potential vulnerabilities, this video will equip you with the knowledge you need to safeguard your GraphQL implementations. Have you checked out the GraphQL module in our Advanced Web Hacking course yet? Let us know in the comments below! Don't forget to like, subscribe, and hit the bell icon for more deep dives into web security and hacking techniques! #apisecurity #graphql #cybersecurity #hacking #infosec 📱Social Media📱 ___________________________________________ X: https://x.com/TCMSecurity Twitch: https://www.twitch.tv/thecybermentor Instagram: https://www.instagram.com/tcmsecurity/ LinkedIn: https://www.linkedin.com/company/tcm-security-inc/ TikTok: https://www.tiktok.com/@tcmsecurity Discord: https://discord.gg/tcm Facebook: https://www.facebook.com/tcmsecure Timestamps: 00:00 Introduction to GraphQL 00:28 What is GraphQL? 02:25 Sponsor message 02:51 GraphQL code 07:00 Introspection and Information Disclosure 13:02 Outro 💸Donate💸 __________________________________
Watch on YouTube ↗ (saves to browser)
Sign in to unlock AI tutor explanation · ⚡30

Playlist

Uploads from The Cyber Mentor · The Cyber Mentor · 0 of 60

← Previous Next →
1 Buffer Overflows Made Easy - Part 1: Introduction
Buffer Overflows Made Easy - Part 1: Introduction
The Cyber Mentor
2 Buffer Overflows Made Easy - Part 2: Spiking
Buffer Overflows Made Easy - Part 2: Spiking
The Cyber Mentor
3 Buffer Overflows Made Easy - Part 3: Fuzzing
Buffer Overflows Made Easy - Part 3: Fuzzing
The Cyber Mentor
4 Buffer Overflows Made Easy - Part 4: Finding the Offset
Buffer Overflows Made Easy - Part 4: Finding the Offset
The Cyber Mentor
5 Buffer Overflows Made Easy - Part 5: Overwriting the EIP
Buffer Overflows Made Easy - Part 5: Overwriting the EIP
The Cyber Mentor
6 Buffer Overflows Made Easy - Part 6: Finding Bad Characters
Buffer Overflows Made Easy - Part 6: Finding Bad Characters
The Cyber Mentor
7 Buffer Overflows Made Easy - Part 7: Finding the Right Module
Buffer Overflows Made Easy - Part 7: Finding the Right Module
The Cyber Mentor
8 Buffer Overflows Made Easy - Part 8: Generating Shellcode and Gaining Shells
Buffer Overflows Made Easy - Part 8: Generating Shellcode and Gaining Shells
The Cyber Mentor
9 HackTheBox - Sunday Walkthrough (Re-Up)
HackTheBox - Sunday Walkthrough (Re-Up)
The Cyber Mentor
10 Networking for Ethical Hackers - TCP, UDP, and the Three-Way Handshake (Re-Up)
Networking for Ethical Hackers - TCP, UDP, and the Three-Way Handshake (Re-Up)
The Cyber Mentor
11 Networking for Ethical Hackers - Network Subnetting (Re-Up)
Networking for Ethical Hackers - Network Subnetting (Re-Up)
The Cyber Mentor
12 Networking for Ethical Hackers - Network Subnetting Part 2: The Challenge (Re-Up)
Networking for Ethical Hackers - Network Subnetting Part 2: The Challenge (Re-Up)
The Cyber Mentor
13 Networking for Ethical Hackers - Building A Basic Network with Cisco Packet Tracer (Re-Up)
Networking for Ethical Hackers - Building A Basic Network with Cisco Packet Tracer (Re-Up)
The Cyber Mentor
14 HackTheBox - Fighter Walkthrough (Re-Up)
HackTheBox - Fighter Walkthrough (Re-Up)
The Cyber Mentor
15 Beginner Linux for Ethical Hackers - Navigating the File System
Beginner Linux for Ethical Hackers - Navigating the File System
The Cyber Mentor
16 Beginner Linux for Ethical Hackers - Users and Privileges
Beginner Linux for Ethical Hackers - Users and Privileges
The Cyber Mentor
17 Beginner Linux for Ethical Hackers - Common Network Commands
Beginner Linux for Ethical Hackers - Common Network Commands
The Cyber Mentor
18 Beginner Linux for Ethical Hackers - Viewing, Creating, and Editing Files
Beginner Linux for Ethical Hackers - Viewing, Creating, and Editing Files
The Cyber Mentor
19 Beginner Linux for Ethical Hackers - Controlling Kali Services
Beginner Linux for Ethical Hackers - Controlling Kali Services
The Cyber Mentor
20 Beginner Linux for Ethical Hackers - Scripting with Bash
Beginner Linux for Ethical Hackers - Scripting with Bash
The Cyber Mentor
21 Beginner Linux for Ethical Hackers - Installing and Updating Tools
Beginner Linux for Ethical Hackers - Installing and Updating Tools
The Cyber Mentor
22 Cracking Linux Password Hashes with Hashcat
Cracking Linux Password Hashes with Hashcat
The Cyber Mentor
23 Reminder: Twitch Hacking Live Stream Tonight! 2/26/19 at 8PM EST
Reminder: Twitch Hacking Live Stream Tonight! 2/26/19 at 8PM EST
The Cyber Mentor
24 Hacking Live Stream: Episode 1 - Kioptrix Level 1, HackTheBox Jerry, and Career Q&A / AMA
Hacking Live Stream: Episode 1 - Kioptrix Level 1, HackTheBox Jerry, and Career Q&A / AMA
The Cyber Mentor
25 Hacking Live Stream: Episode 2 - HackTheBox Active, Vulnserver Buffer Overflow, and Career Q&A / AMA
Hacking Live Stream: Episode 2 - HackTheBox Active, Vulnserver Buffer Overflow, and Career Q&A / AMA
The Cyber Mentor
26 Hacking Live Stream: Episode 3 - Hack The Box Blue, Devel, and Career Q&A / AMA
Hacking Live Stream: Episode 3 - Hack The Box Blue, Devel, and Career Q&A / AMA
The Cyber Mentor
27 New Zero to Hero Pentest Course, New Website, and 2K Subs?!
New Zero to Hero Pentest Course, New Website, and 2K Subs?!
The Cyber Mentor
28 Zero to Hero Pentesting: Episode 1 - Course Introduction, Notekeeping, Introductory Linux, and AMA
Zero to Hero Pentesting: Episode 1 - Course Introduction, Notekeeping, Introductory Linux, and AMA
The Cyber Mentor
29 Zero to Hero Pentesting: Episode 2 - Python 101
Zero to Hero Pentesting: Episode 2 - Python 101
The Cyber Mentor
30 Zero to Hero Pentesting: Episode 3 - Python 102, Building a Terrible Port Scanner, and a Giveaway
Zero to Hero Pentesting: Episode 3 - Python 102, Building a Terrible Port Scanner, and a Giveaway
The Cyber Mentor
31 Zero to Hero Pentesting: Episode 4 - Five Phases of Hacking + Passive OSINT
Zero to Hero Pentesting: Episode 4 - Five Phases of Hacking + Passive OSINT
The Cyber Mentor
32 Zero to Hero Pentesting: Episode 5 - Scanning Tools (Nmap, Nessus, BurpSuite, etc.) & Tactics
Zero to Hero Pentesting: Episode 5 - Scanning Tools (Nmap, Nessus, BurpSuite, etc.) & Tactics
The Cyber Mentor
33 Zero to Hero Pentesting: Episode 6 - Enumeration (Kioptrix & Hack The Box)
Zero to Hero Pentesting: Episode 6 - Enumeration (Kioptrix & Hack The Box)
The Cyber Mentor
34 Zero to Hero Pentesting: Episode 7 - Exploitation, Shells, and Some Credential Stuffing
Zero to Hero Pentesting: Episode 7 - Exploitation, Shells, and Some Credential Stuffing
The Cyber Mentor
35 Installing Windows Server 2016 on VMWare in 5 Minutes
Installing Windows Server 2016 on VMWare in 5 Minutes
The Cyber Mentor
36 Zero to Hero: Week 8 - Building an AD Lab, LLMNR Poisoning, and NTLMv2 Cracking with Hashcat
Zero to Hero: Week 8 - Building an AD Lab, LLMNR Poisoning, and NTLMv2 Cracking with Hashcat
The Cyber Mentor
37 A Day in the Life of an Ethical Hacker / Penetration Tester
A Day in the Life of an Ethical Hacker / Penetration Tester
The Cyber Mentor
38 Active Directory Exploitation - LLMNR/NBT-NS Poisoning
Active Directory Exploitation - LLMNR/NBT-NS Poisoning
The Cyber Mentor
39 Zero to Hero: Week 9 - NTLM Relay, Token Impersonation, Pass the Hash, PsExec, and more
Zero to Hero: Week 9 - NTLM Relay, Token Impersonation, Pass the Hash, PsExec, and more
The Cyber Mentor
40 Zero to Hero: Episode 10 - MS17-010/EternalBlue, GPP/cPasswords, and Kerberoasting
Zero to Hero: Episode 10 - MS17-010/EternalBlue, GPP/cPasswords, and Kerberoasting
The Cyber Mentor
41 Writing a Pentest Report
Writing a Pentest Report
The Cyber Mentor
42 Zero to Hero: Week 11 - File Transfers, Pivoting, and Reporting Writing
Zero to Hero: Week 11 - File Transfers, Pivoting, and Reporting Writing
The Cyber Mentor
43 The Complete Linux for Ethical Hackers Course for 2019
The Complete Linux for Ethical Hackers Course for 2019
The Cyber Mentor
44 Full Ethical Hacking Course - Beginner Network Penetration Testing (2019)
Full Ethical Hacking Course - Beginner Network Penetration Testing (2019)
The Cyber Mentor
45 Popping a Shell with SMB Relay and Empire
Popping a Shell with SMB Relay and Empire
The Cyber Mentor
46 Pentesting for n00bs: Episode 1 - Legacy (hackthebox)
Pentesting for n00bs: Episode 1 - Legacy (hackthebox)
The Cyber Mentor
47 Pentesting for n00bs: Episode 2 - Lame
Pentesting for n00bs: Episode 2 - Lame
The Cyber Mentor
48 Pentesting for n00bs: Episode 3 - Blue
Pentesting for n00bs: Episode 3 - Blue
The Cyber Mentor
49 Web App Testing: Episode 1 - Enumeration
Web App Testing: Episode 1 - Enumeration
The Cyber Mentor
50 Pentesting for n00bs: Episode 4 - Devel
Pentesting for n00bs: Episode 4 - Devel
The Cyber Mentor
51 Pentesting for n00bs: Episode 5 - Jerry
Pentesting for n00bs: Episode 5 - Jerry
The Cyber Mentor
52 Web App Testing: Episode 2 - Enumeration, XSS, and UI Bypassing
Web App Testing: Episode 2 - Enumeration, XSS, and UI Bypassing
The Cyber Mentor
53 Pentesting for n00bs: Episode 6 - Nibbles
Pentesting for n00bs: Episode 6 - Nibbles
The Cyber Mentor
54 Web App Testing: Episode 3 - XSS, SQL Injection, and Broken Access Control
Web App Testing: Episode 3 - XSS, SQL Injection, and Broken Access Control
The Cyber Mentor
55 How NOT to Approach a Cybersecurity Mentor
How NOT to Approach a Cybersecurity Mentor
The Cyber Mentor
56 Web App Testing: Episode 4 - XXE, Input Validation, Broken Access Control, and More XSS
Web App Testing: Episode 4 - XXE, Input Validation, Broken Access Control, and More XSS
The Cyber Mentor
57 Pentesting for n00bs: Episode 7 - Optimum (hackthebox)
Pentesting for n00bs: Episode 7 - Optimum (hackthebox)
The Cyber Mentor
58 Pentesting for n00bs: Episode 8 - Bashed (hackthebox)
Pentesting for n00bs: Episode 8 - Bashed (hackthebox)
The Cyber Mentor
59 Pentesting for n00bs: Episode 9 - Grandpa
Pentesting for n00bs: Episode 9 - Grandpa
The Cyber Mentor
60 Top 5 Internal Pentesting Methods
Top 5 Internal Pentesting Methods
The Cyber Mentor

This video teaches the basics of GraphQL security, including how to identify and exploit vulnerabilities, and how to secure GraphQL APIs. It's perfect for developers and pentesters looking to improve their GraphQL security skills.

Key Takeaways
  1. Understand how GraphQL differs from traditional REST APIs
  2. Learn about key features attackers can exploit
  3. Craft complex queries to extract sensitive data
  4. Understand the security risks of GraphQL introspection
  5. Secure GraphQL APIs
💡 GraphQL introspection can be a significant security risk if not properly secured

Related Reads

📰
Vulnhub: Shenron-1 Walkthrough
Exploit a vulnerable Linux machine using credential exposure and kernel exploit to gain root access
Medium · Cybersecurity
📰
The Day I Realized Technology Is About People, Not Just Code
Technology is about people, not just code, and understanding this is crucial for success in the field
Medium · Cybersecurity
📰
🚀 I Built CODELIVLY — A Platform to Learn Cybersecurity Through Hands-On Practice
Learn how to build a hands-on cybersecurity learning platform like CODELIVLY and improve your skills in cybersecurity and platform development
Dev.to · Rocky
📰
The Silent Killer in Your Node.js APIs: Mass Assignment & How to Catch It Before Production
Protect your Node.js APIs from mass assignment vulnerabilities by going beyond ESLint and SonarQube checks
Medium · AI

Chapters (6)

Introduction to GraphQL
0:28 What is GraphQL?
2:25 Sponsor message
2:51 GraphQL code
7:00 Introspection and Information Disclosure
13:02 Outro
Up next
How to Build a Successful Career in Cyber Security, Avoid Common Mistakes in Tech Education
Sreevidhya Santhosh
Watch →