SlideShare uma empresa Scribd logo

Attacking and defending GraphQL applications: a hands-on approach

Davide Cioccia
Davide Cioccia

DevSecCon Seatlle 2019 - Workshop The workshop is meant for developers, architects and security folks. During the workshop we will learn how to setup a GraphQL project, define a schema, create Query, Mutation and Subscription for a "fake" social network. We will learn what are the main security issues to consider when developing a GraphQL application: Introspection: information disclosure /graphql as a single point of failure (DoS attacks) IDOR Broken Access control Injections Once we get familiar with the issues, we will explain how to avoid it and/or fix it.

Internet
1 de 63
Baixar para ler offline
Seattle | September 16-17, 2019 Attacking and defending GraphQL applications: a hands-on approach DAVIDE CIOCCIA STEFAN PETRUSHEVSKI
Seattle | September 16-17, 2019 $id Davide Cioccia @davide107 david3107 Stefan Petrushevski @ztefan theztefan
Seattle | September 16-17, 2019 Agenda • GraphQL basics: Query, Mutation, Subscription • Security Implications in GraphQL • Lab1: Introspection • Lab2: DoS • Lab3: Mutations • Lab4: IDOR and Authorization bypass • Lab5: Injections
Seattle | September 16-17, 2019 GraphQL https://graphql.org/ A query language for your API GraphQL is a query language for APIs and a runtime for fulfilling those queries with your existing data. GraphQL provides a complete and understandable description of the data in your API, gives clients the power to ask for exactly what they need and nothing more, makes it easier to evolve APIs over time, and enables powerful developer tools.
Seattle | September 16-17, 2019 GraphQL Optimizing the data fetching problem by switching from imperative to declarative data fetching
Seattle | September 16-17, 2019 GraphQL vs REST API
Seattle | September 16-17, 2019 GraphQL vs REST API
Seattle | September 16-17, 2019 REST API GraphQL vs
Seattle | September 16-17, 2019 Common use-case
Seattle | September 16-17, 2019 GraphQL basics
Seattle | September 16-17, 2019 Create a schema
Seattle | September 16-17, 2019 Define an operation • Query • Mutation • Subscription
Seattle | September 16-17, 2019 GraphQL query
Seattle | September 16-17, 2019 GraphQL mutation
Seattle | September 16-17, 2019 GraphQL subscription
Seattle | September 16-17, 2019 LAB: GraphQL basics
Seattle | September 16-17, 2019 Repo git clone https://github.com/david3107/graphql-security-labs cd lab3-mutation docker build . -t graphql/mutation && docker run -ti -p 5000:5000 graphql/mutation
Seattle | September 16-17, 2019 Security Implications in GraphQL
Seattle | September 16-17, 2019 What can go wrong • Introspection • DoS • Injections • Broken Authorization • Insecure Direct Object Reference (IDOR)
Seattle | September 16-17, 2019 Introspection
Seattle | September 16-17, 2019 What’s introspection • Allows us to ask a GraphQL schema for information about: • Queries • Mutations • Subscriptions • Types • Directives
Seattle | September 16-17, 2019 What can we ask for • Querying all available types in a schema • __type • __typename • All available queries • queryType • deprecations • List of enumerator values • __type(name: "<ENUM TYPE>") • All types associated with an Interface or Union • __type(name: "<INTERFACE OR UNION TYPE>")
Seattle | September 16-17, 2019 Ask for available types and queries
Seattle | September 16-17, 2019 How can we abuse it? • Information disclosure • Sensitive information related to the objects • Retrieve “hidden” queries to bypass controls • Use it as a steppingstone for further attacks
Seattle | September 16-17, 2019 How do we prevent it? • Disable introspection. D’oh! • Npm module • https://www.npmjs.com/package/graphql-disable-introspection • One Python hack class NoIntrospection(ValidationRule): def enter_Field(self, node, key, parent, path, ancestors): field_name = node.name.value if field_name == "__schema" or field_name == "__type": self.context.report_error( GraphQLError(u"GraphQL introspection is not allowed", [node]) )
Seattle | September 16-17, 2019 LAB: Introspection
Seattle | September 16-17, 2019 Repo git clone https://github.com/david3107/graphql-security-labs cd lab1-info-introspection docker build . -t graphql/intro && docker run -ti -p 5000:5000 graphql/intro
Seattle | September 16-17, 2019 Challenges: DefDev social network
Seattle | September 16-17, 2019 Architecture + +
Seattle | September 16-17, 2019 DoS: Nested queries
Seattle | September 16-17, 2019 Nested queries • Let’s consider the following schema
Seattle | September 16-17, 2019 Nested queries
Seattle | September 16-17, 2019 Nested queries: complexity calculation 9999 messages x 1 thread + 9999 messages x 1 thread + 9999 messages x 1 thread
Seattle | September 16-17, 2019 Result
Seattle | September 16-17, 2019 How do we prevent it? • Limit Maximum Query Depth • Calculate Query Complexity • Throttling Based on Server Time • Audit your query before production
Seattle | September 16-17, 2019 Limit Maximum Query Depth
Seattle | September 16-17, 2019 Limit Maximum Query Depth • Pros • Because the AST (Abstract Syntax Tree) is statically analyzed the query is never executed • Cons • It’s very difficult to cover all the possible query combinations
Seattle | September 16-17, 2019 Calculate Query Complexity Allow only LOW query complexity. If we set query complexity to 4 this query would fail
Seattle | September 16-17, 2019 Calculate Query Complexity • Pros • Covers more scenarios • Do not execute the query • Cons • Hard to maintain • Difficult to calculate • Mutations can be tricky :/
Seattle | September 16-17, 2019 Audit your query before production • https://www.npmjs.com/package/graphql-validation-complexity • https://github.com/4Catalyzer/graphql-validation-complexity • https://github.com/slicknode/graphql-query-complexity
Seattle | September 16-17, 2019 LAB: DoS
Seattle | September 16-17, 2019 Repo git clone https://github.com/david3107/graphql-security-labs cd lab2-dos-resource-exhaustion docker build . -t graphql/dos && docker run -ti -p 5000:5000 graphql/dos
Seattle | September 16-17, 2019 Goal • Take down that social network
Seattle | September 16-17, 2019 Broken Authorization & Insecure Direct Object Reference (IDOR)
Seattle | September 16-17, 2019 Quick recap on IDOR
Seattle | September 16-17, 2019 So IDOR is a GraphQL problem ….but wrong implementation of GraphQL filtering functions can lead to IDOR vulnerabilities.
Seattle | September 16-17, 2019 What can go wrong? • Mutations containing predictable IDs • Perform action on behalf of other users • Query to retrieve data about single elements • Retrieve other users' data
Seattle | September 16-17, 2019 How do we discover IDOR? Step 1 • Use introspection to find all the available queries
Seattle | September 16-17, 2019 How do we discover IDOR? Step 2 • For each query detect the associated Type • For each object print out the available Fields
Seattle | September 16-17, 2019 How do we discover IDOR? Step 3 • For each object detect predictable element (Int, Enum, etc)
Seattle | September 16-17, 2019 How do we discover IDOR? Step 4 • Try different values and see what happens :)
Seattle | September 16-17, 2019 LAB: IDOR
Seattle | September 16-17, 2019 Repo git clone https://github.com/david3107/graphql-security-labs cd lab4-IDOR docker build . -t graphql/idor && docker run -ti -p 5000:5000 graphql/idor
Seattle | September 16-17, 2019 Goal • Use IDOR vulnerabilities to retrieve other users' private info • Authenticate as another user
Seattle | September 16-17, 2019 Injections
Seattle | September 16-17, 2019 Are Injections possible? • Yes, injections vulnerabilities are present • Yes, because of bad implementation (bad coding) • All web vulnerabilities are potentially present in GraphQL
Seattle | September 16-17, 2019 How do we prevent Injections (and other)? • Use secure coding principles and practices
Seattle | September 16-17, 2019 LAB: Injections
Seattle | September 16-17, 2019 Repo git clone https://github.com/david3107/graphql-security-labs cd lab5-injections docker build . -t graphql/injection && docker run -ti –p 5000:5000 –p 1337:1337 graphql/injection
Seattle | September 16-17, 2019 Architecture + +
Seattle | September 16-17, 2019 Goal • Use the knowledge from previous labs (hint: introspection) • There are two different injection vulnerabilities in the lab. Exploit them to: • Get a remote shell on the machine (use port 1337) • Get the passwords of all administrator users
Seattle | September 16-17, 2019 Thank you!
Seattle | September 16-17, 2019 About defdev.eu • Defensive development – hardening developers • Hi-end secure development and S/SDLC trainings • handsons/labs, DIY testing/hacking, exams, certification • senior security testers and enterprise developers on stage • from mobile to mainframe • from C#, JS and Java to Go, Swift and Kotlin • from practical cybersec to security in CI/CD

Recomendados

GraphQL Security
GraphQL SecurityGraphQL Security
GraphQL Security
Shiu-Fun Poon
 
Pentest Application With GraphQL | Null Bangalore Meetup
Pentest Application With GraphQL | Null Bangalore Meetup Pentest Application With GraphQL | Null Bangalore Meetup
Pentest Application With GraphQL | Null Bangalore Meetup
Divyanshu
 
DVGA writeup
DVGA writeupDVGA writeup
DVGA writeup
Yu Iwama
 
Deep dive into ssrf
Deep dive into ssrfDeep dive into ssrf
Deep dive into ssrf
n|u - The Open Security Community
 
Secure Coding 101 - OWASP University of Ottawa Workshop
Secure Coding 101 - OWASP University of Ottawa WorkshopSecure Coding 101 - OWASP University of Ottawa Workshop
Secure Coding 101 - OWASP University of Ottawa Workshop
Paul Ionescu
 
Learn to pen-test with OWASP ZAP
Learn to pen-test with OWASP ZAPLearn to pen-test with OWASP ZAP
Learn to pen-test with OWASP ZAP
Paul Ionescu
 
Web Application Security
Web Application SecurityWeb Application Security
Web Application Security
Abdul Wahid
 
Getting Started with API Security Testing
Getting Started with API Security TestingGetting Started with API Security Testing
Getting Started with API Security Testing
SmartBear
 

Recomendados

GraphQL Security
GraphQL SecurityGraphQL Security
GraphQL Security
Shiu-Fun Poon
 
Pentest Application With GraphQL | Null Bangalore Meetup
Pentest Application With GraphQL | Null Bangalore Meetup Pentest Application With GraphQL | Null Bangalore Meetup
Pentest Application With GraphQL | Null Bangalore Meetup
Divyanshu
 
DVGA writeup
DVGA writeupDVGA writeup
DVGA writeup
Yu Iwama
 
Deep dive into ssrf
Deep dive into ssrfDeep dive into ssrf
Deep dive into ssrf
n|u - The Open Security Community
 
Secure Coding 101 - OWASP University of Ottawa Workshop
Secure Coding 101 - OWASP University of Ottawa WorkshopSecure Coding 101 - OWASP University of Ottawa Workshop
Secure Coding 101 - OWASP University of Ottawa Workshop
Paul Ionescu
 
Learn to pen-test with OWASP ZAP
Learn to pen-test with OWASP ZAPLearn to pen-test with OWASP ZAP
Learn to pen-test with OWASP ZAP
Paul Ionescu
 
Web Application Security
Web Application SecurityWeb Application Security
Web Application Security
Abdul Wahid
 
Getting Started with API Security Testing
Getting Started with API Security TestingGetting Started with API Security Testing
Getting Started with API Security Testing
SmartBear
 
Vulnerabilities in modern web applications
Vulnerabilities in modern web applicationsVulnerabilities in modern web applications
Vulnerabilities in modern web applications
Niyas Nazar
 
Api security-testing
Api security-testingApi security-testing
Api security-testing
n|u - The Open Security Community
 
Pentesting ReST API
Pentesting ReST APIPentesting ReST API
Pentesting ReST API
Nutan Kumar Panda
 
Pentesting Rest API's by :- Gaurang Bhatnagar
Pentesting Rest API's by :- Gaurang BhatnagarPentesting Rest API's by :- Gaurang Bhatnagar
Pentesting Rest API's by :- Gaurang Bhatnagar
OWASP Delhi
 
Web vulnerabilities
Web vulnerabilitiesWeb vulnerabilities
Web vulnerabilities
Krishna Gehlot
 
API Security Fundamentals
API Security FundamentalsAPI Security Fundamentals
API Security Fundamentals
José Haro Peralta
 
Xss (cross site scripting)
Xss (cross site scripting)Xss (cross site scripting)
Xss (cross site scripting)
vinayh.vaghamshi _
 
OWASP Top 10 2021 What's New
OWASP Top 10 2021 What's NewOWASP Top 10 2021 What's New
OWASP Top 10 2021 What's New
Michael Furman
 
Sql injection attack
Sql injection attackSql injection attack
Sql injection attack
Raghav Bisht
 
NETWORK PENETRATION TESTING
NETWORK PENETRATION TESTINGNETWORK PENETRATION TESTING
NETWORK PENETRATION TESTING
Er Vivek Rana
 
Secure Code Warrior - CRLF injection
Secure Code Warrior - CRLF injectionSecure Code Warrior - CRLF injection
Secure Code Warrior - CRLF injection
Secure Code Warrior
 
Sql injection
Sql injectionSql injection
Sql injection
Nikunj Dhameliya
 
Security Vulnerabilities
Security VulnerabilitiesSecurity Vulnerabilities
Security Vulnerabilities
Marius Vorster
 
Burp suite
Burp suiteBurp suite
Burp suite
SOURABH DESHMUKH
 
IDOR Know-How.pdf
IDOR Know-How.pdfIDOR Know-How.pdf
IDOR Know-How.pdf
Bhashit Pandya
 
Insecure direct object reference (null delhi meet)
Insecure direct object reference (null delhi meet)Insecure direct object reference (null delhi meet)
Insecure direct object reference (null delhi meet)
Abhinav Mishra
 
Pentesting GraphQL Applications
Pentesting GraphQL ApplicationsPentesting GraphQL Applications
Pentesting GraphQL Applications
Neelu Tripathy
 
Web Application Penetration Testing Introduction
Web Application Penetration Testing IntroductionWeb Application Penetration Testing Introduction
Web Application Penetration Testing Introduction
gbud7
 
Sql injections - with example
Sql injections - with exampleSql injections - with example
Sql injections - with example
Prateek Chauhan
 
SQL Injection
SQL Injection SQL Injection
SQL Injection
Adhoura Academy
 
DevSecCon Seattle 2019: Containerizing IT Security Knowledge
DevSecCon Seattle 2019: Containerizing IT Security KnowledgeDevSecCon Seattle 2019: Containerizing IT Security Knowledge
DevSecCon Seattle 2019: Containerizing IT Security Knowledge
DevSecCon
 
Banfootguns devseccon 2019
Banfootguns devseccon 2019Banfootguns devseccon 2019
Banfootguns devseccon 2019
Morgan Roman
 

Mais conteúdo relacionado

Mais procurados

Web Application Penetration Testing Introduction
Web Application Penetration Testing IntroductionWeb Application Penetration Testing Introduction
Web Application Penetration Testing Introduction
gbud7
 

Mais procurados (20)

Vulnerabilities in modern web applications
Vulnerabilities in modern web applicationsVulnerabilities in modern web applications
Vulnerabilities in modern web applications
 
Api security-testing
Api security-testingApi security-testing
Api security-testing
 
Pentesting ReST API
Pentesting ReST APIPentesting ReST API
Pentesting ReST API
 
Pentesting Rest API's by :- Gaurang Bhatnagar
Pentesting Rest API's by :- Gaurang BhatnagarPentesting Rest API's by :- Gaurang Bhatnagar
Pentesting Rest API's by :- Gaurang Bhatnagar
 
Web vulnerabilities
Web vulnerabilitiesWeb vulnerabilities
Web vulnerabilities
 
API Security Fundamentals
API Security FundamentalsAPI Security Fundamentals
API Security Fundamentals
 
Xss (cross site scripting)
Xss (cross site scripting)Xss (cross site scripting)
Xss (cross site scripting)
 
OWASP Top 10 2021 What's New
OWASP Top 10 2021 What's NewOWASP Top 10 2021 What's New
OWASP Top 10 2021 What's New
 
Sql injection attack
Sql injection attackSql injection attack
Sql injection attack
 
NETWORK PENETRATION TESTING
NETWORK PENETRATION TESTINGNETWORK PENETRATION TESTING
NETWORK PENETRATION TESTING
 
Secure Code Warrior - CRLF injection
Secure Code Warrior - CRLF injectionSecure Code Warrior - CRLF injection
Secure Code Warrior - CRLF injection
 
Sql injection
Sql injectionSql injection
Sql injection
 
Security Vulnerabilities
Security VulnerabilitiesSecurity Vulnerabilities
Security Vulnerabilities
 
Burp suite
Burp suiteBurp suite
Burp suite
 
IDOR Know-How.pdf
IDOR Know-How.pdfIDOR Know-How.pdf
IDOR Know-How.pdf
 
Insecure direct object reference (null delhi meet)
Insecure direct object reference (null delhi meet)Insecure direct object reference (null delhi meet)
Insecure direct object reference (null delhi meet)
 
Pentesting GraphQL Applications
Pentesting GraphQL ApplicationsPentesting GraphQL Applications
Pentesting GraphQL Applications
 
Web Application Penetration Testing Introduction
Web Application Penetration Testing IntroductionWeb Application Penetration Testing Introduction
Web Application Penetration Testing Introduction
 
Sql injections - with example
Sql injections - with exampleSql injections - with example
Sql injections - with example
 
SQL Injection
SQL Injection SQL Injection
SQL Injection
 

Semelhante a Attacking and defending GraphQL applications: a hands-on approach

DevSecCon Seattle 2019: Containerizing IT Security Knowledge
DevSecCon Seattle 2019: Containerizing IT Security KnowledgeDevSecCon Seattle 2019: Containerizing IT Security Knowledge
DevSecCon Seattle 2019: Containerizing IT Security Knowledge
DevSecCon
 
CodeOne 2019: "Continuous Delivery with Docker and Java"
CodeOne 2019: "Continuous Delivery with Docker and Java"CodeOne 2019: "Continuous Delivery with Docker and Java"
CodeOne 2019: "Continuous Delivery with Docker and Java"
Daniel Bryant
 
DevSecCon Seattle 2019: Decentralized Authorization - Implementing Fine Grain...
DevSecCon Seattle 2019: Decentralized Authorization - Implementing Fine Grain...DevSecCon Seattle 2019: Decentralized Authorization - Implementing Fine Grain...
DevSecCon Seattle 2019: Decentralized Authorization - Implementing Fine Grain...
DevSecCon
 
Building a Cyber Threat Intelligence Knowledge Management System (Paris Augus...
Building a Cyber Threat Intelligence Knowledge Management System (Paris Augus...Building a Cyber Threat Intelligence Knowledge Management System (Paris Augus...
Building a Cyber Threat Intelligence Knowledge Management System (Paris Augus...
Vaticle
 
Testing RESTful Web Services
Testing RESTful Web ServicesTesting RESTful Web Services
Testing RESTful Web Services
TechWell
 

Semelhante a Attacking and defending GraphQL applications: a hands-on approach (20)

DevSecCon Seattle 2019: Containerizing IT Security Knowledge
DevSecCon Seattle 2019: Containerizing IT Security KnowledgeDevSecCon Seattle 2019: Containerizing IT Security Knowledge
DevSecCon Seattle 2019: Containerizing IT Security Knowledge
 
Banfootguns devseccon 2019
Banfootguns devseccon 2019Banfootguns devseccon 2019
Banfootguns devseccon 2019
 
Overcoming the old ways of working with DevSecOps - Culture, Data, Graph, and...
Overcoming the old ways of working with DevSecOps - Culture, Data, Graph, and...Overcoming the old ways of working with DevSecOps - Culture, Data, Graph, and...
Overcoming the old ways of working with DevSecOps - Culture, Data, Graph, and...
 
VSSML18. REST API and Bindings
VSSML18. REST API and BindingsVSSML18. REST API and Bindings
VSSML18. REST API and Bindings
 
Demystify Information Security & Threats for Data-Driven Platforms With Cheta...
Demystify Information Security & Threats for Data-Driven Platforms With Cheta...Demystify Information Security & Threats for Data-Driven Platforms With Cheta...
Demystify Information Security & Threats for Data-Driven Platforms With Cheta...
 
2022 APIsecure_Securing APIs with Open Standards
2022 APIsecure_Securing APIs with Open Standards2022 APIsecure_Securing APIs with Open Standards
2022 APIsecure_Securing APIs with Open Standards
 
CodeOne 2019: "Continuous Delivery with Docker and Java"
CodeOne 2019: "Continuous Delivery with Docker and Java"CodeOne 2019: "Continuous Delivery with Docker and Java"
CodeOne 2019: "Continuous Delivery with Docker and Java"
 
DevSecCon Seattle 2019: Decentralized Authorization - Implementing Fine Grain...
DevSecCon Seattle 2019: Decentralized Authorization - Implementing Fine Grain...DevSecCon Seattle 2019: Decentralized Authorization - Implementing Fine Grain...
DevSecCon Seattle 2019: Decentralized Authorization - Implementing Fine Grain...
 
Decentralized Authorization
Decentralized AuthorizationDecentralized Authorization
Decentralized Authorization
 
ITCamp 2019 - Andy Cross - Machine Learning with ML.NET and Azure Data Lake
ITCamp 2019 - Andy Cross - Machine Learning with ML.NET and Azure Data LakeITCamp 2019 - Andy Cross - Machine Learning with ML.NET and Azure Data Lake
ITCamp 2019 - Andy Cross - Machine Learning with ML.NET and Azure Data Lake
 
UTOUG Training Days 2019 APEX Interactive Grids: API Essentials, the Stuff Yo...
UTOUG Training Days 2019 APEX Interactive Grids: API Essentials, the Stuff Yo...UTOUG Training Days 2019 APEX Interactive Grids: API Essentials, the Stuff Yo...
UTOUG Training Days 2019 APEX Interactive Grids: API Essentials, the Stuff Yo...
 
Building a Cyber Threat Intelligence Knowledge Management System (Paris Augus...
Building a Cyber Threat Intelligence Knowledge Management System (Paris Augus...Building a Cyber Threat Intelligence Knowledge Management System (Paris Augus...
Building a Cyber Threat Intelligence Knowledge Management System (Paris Augus...
 
Api Testing
Api TestingApi Testing
Api Testing
 
Api Testing
Api TestingApi Testing
Api Testing
 
Sharing Blockchain Performance Knowledge for Edge Service Development
Sharing Blockchain Performance Knowledge for Edge Service DevelopmentSharing Blockchain Performance Knowledge for Edge Service Development
Sharing Blockchain Performance Knowledge for Edge Service Development
 
InfoSphere Optim archive for archive/purge of application data
InfoSphere Optim archive for archive/purge of application dataInfoSphere Optim archive for archive/purge of application data
InfoSphere Optim archive for archive/purge of application data
 
Testing RESTful Web Services
Testing RESTful Web ServicesTesting RESTful Web Services
Testing RESTful Web Services
 
apidays LIVE Australia 2020 - From micro to macro-coordination through domain...
apidays LIVE Australia 2020 - From micro to macro-coordination through domain...apidays LIVE Australia 2020 - From micro to macro-coordination through domain...
apidays LIVE Australia 2020 - From micro to macro-coordination through domain...
 
APIs and Restful APIs
APIs and Restful APIsAPIs and Restful APIs
APIs and Restful APIs
 
You got database in my cloud!
You got database in my cloud!You got database in my cloud!
You got database in my cloud!
 

Mais de Davide Cioccia

BDD Mobile Security Testing (OWASP AppSec Bucharest 2017)
BDD Mobile Security Testing (OWASP AppSec Bucharest 2017)BDD Mobile Security Testing (OWASP AppSec Bucharest 2017)
BDD Mobile Security Testing (OWASP AppSec Bucharest 2017)
Davide Cioccia
 
Inside TorrentLocker (Cryptolocker) Malware C&C Server
Inside TorrentLocker (Cryptolocker) Malware C&C Server Inside TorrentLocker (Cryptolocker) Malware C&C Server
Inside TorrentLocker (Cryptolocker) Malware C&C Server
Davide Cioccia
 
Windows Mobile 6.5: Client for a multimedia conferencing platform
Windows Mobile 6.5: Client for a multimedia conferencing platform Windows Mobile 6.5: Client for a multimedia conferencing platform
Windows Mobile 6.5: Client for a multimedia conferencing platform
Davide Cioccia
 
A statistical framework to evaluate the "diversity" impact against Advanced P...
A statistical framework to evaluate the "diversity" impact against Advanced P...A statistical framework to evaluate the "diversity" impact against Advanced P...
A statistical framework to evaluate the "diversity" impact against Advanced P...
Davide Cioccia
 

Mais de Davide Cioccia (10)

Avoiding GraphQL insecurities with OWASP SKF - OWASP HU meetup
Avoiding GraphQL insecurities with OWASP SKF - OWASP HU meetupAvoiding GraphQL insecurities with OWASP SKF - OWASP HU meetup
Avoiding GraphQL insecurities with OWASP SKF - OWASP HU meetup
 
DevSecCon Boston2018 - advanced mobile security automation with bdd
DevSecCon Boston2018 - advanced mobile security automation with bddDevSecCon Boston2018 - advanced mobile security automation with bdd
DevSecCon Boston2018 - advanced mobile security automation with bdd
 
Black Hat Europe 2018 Arsenal Tools - Squatm3
Black Hat Europe 2018 Arsenal Tools - Squatm3Black Hat Europe 2018 Arsenal Tools - Squatm3
Black Hat Europe 2018 Arsenal Tools - Squatm3
 
BH ASIA 2019 Arsenal Tools - Squatm3 and Squatm3gator
BH ASIA 2019 Arsenal Tools - Squatm3 and Squatm3gatorBH ASIA 2019 Arsenal Tools - Squatm3 and Squatm3gator
BH ASIA 2019 Arsenal Tools - Squatm3 and Squatm3gator
 
BDD Mobile Security Testing (OWASP AppSec Bucharest 2017)
BDD Mobile Security Testing (OWASP AppSec Bucharest 2017)BDD Mobile Security Testing (OWASP AppSec Bucharest 2017)
BDD Mobile Security Testing (OWASP AppSec Bucharest 2017)
 
NAS Botnet Revealed - Mining Bitcoin
NAS Botnet Revealed - Mining Bitcoin NAS Botnet Revealed - Mining Bitcoin
NAS Botnet Revealed - Mining Bitcoin
 
Inside TorrentLocker (Cryptolocker) Malware C&C Server
Inside TorrentLocker (Cryptolocker) Malware C&C Server Inside TorrentLocker (Cryptolocker) Malware C&C Server
Inside TorrentLocker (Cryptolocker) Malware C&C Server
 
One shot eight banks
One shot eight banksOne shot eight banks
One shot eight banks
 
Windows Mobile 6.5: Client for a multimedia conferencing platform
Windows Mobile 6.5: Client for a multimedia conferencing platform Windows Mobile 6.5: Client for a multimedia conferencing platform
Windows Mobile 6.5: Client for a multimedia conferencing platform
 
A statistical framework to evaluate the "diversity" impact against Advanced P...
A statistical framework to evaluate the "diversity" impact against Advanced P...A statistical framework to evaluate the "diversity" impact against Advanced P...
A statistical framework to evaluate the "diversity" impact against Advanced P...
 

Último

Indian Escort in Abu DHabi 0508644382 Abu Dhabi Escorts
Indian Escort in Abu DHabi 0508644382 Abu Dhabi EscortsIndian Escort in Abu DHabi 0508644382 Abu Dhabi Escorts
Indian Escort in Abu DHabi 0508644382 Abu Dhabi Escorts
Monica Sydney
 
一比一原版奥兹学院毕业证如何办理
一比一原版奥兹学院毕业证如何办理一比一原版奥兹学院毕业证如何办理
一比一原版奥兹学院毕业证如何办理
F
 
原版制作美国爱荷华大学毕业证(iowa毕业证书)学位证网上存档可查
原版制作美国爱荷华大学毕业证(iowa毕业证书)学位证网上存档可查原版制作美国爱荷华大学毕业证(iowa毕业证书)学位证网上存档可查
原版制作美国爱荷华大学毕业证(iowa毕业证书)学位证网上存档可查
ydyuyu
 
2nd Solid Symposium: Solid Pods vs Personal Knowledge Graphs
2nd Solid Symposium: Solid Pods vs Personal Knowledge Graphs2nd Solid Symposium: Solid Pods vs Personal Knowledge Graphs
2nd Solid Symposium: Solid Pods vs Personal Knowledge Graphs
EleniIlkou
 
Mira Road Housewife Call Girls 07506202331, Nalasopara Call Girls
Mira Road Housewife Call Girls 07506202331, Nalasopara Call GirlsMira Road Housewife Call Girls 07506202331, Nalasopara Call Girls
Mira Road Housewife Call Girls 07506202331, Nalasopara Call Girls
Priya Reddy
 
Call girls Service in Ajman 0505086370 Ajman call girls
Call girls Service in Ajman 0505086370 Ajman call girlsCall girls Service in Ajman 0505086370 Ajman call girls
Call girls Service in Ajman 0505086370 Ajman call girls
Monica Sydney
 
Top profile Call Girls In Dindigul [ 7014168258 ] Call Me For Genuine Models ...
Top profile Call Girls In Dindigul [ 7014168258 ] Call Me For Genuine Models ...Top profile Call Girls In Dindigul [ 7014168258 ] Call Me For Genuine Models ...
Top profile Call Girls In Dindigul [ 7014168258 ] Call Me For Genuine Models ...
gajnagarg
 
pdfcoffee.com_business-ethics-q3m7-pdf-free.pdf
pdfcoffee.com_business-ethics-q3m7-pdf-free.pdfpdfcoffee.com_business-ethics-q3m7-pdf-free.pdf
pdfcoffee.com_business-ethics-q3m7-pdf-free.pdf
JOHNBEBONYAP1
 
一比一原版(Flinders毕业证书)弗林德斯大学毕业证原件一模一样
一比一原版(Flinders毕业证书)弗林德斯大学毕业证原件一模一样一比一原版(Flinders毕业证书)弗林德斯大学毕业证原件一模一样
一比一原版(Flinders毕业证书)弗林德斯大学毕业证原件一模一样
ayvbos
 
在线制作约克大学毕业证(yu毕业证)在读证明认证可查
在线制作约克大学毕业证(yu毕业证)在读证明认证可查在线制作约克大学毕业证(yu毕业证)在读证明认证可查
在线制作约克大学毕业证(yu毕业证)在读证明认证可查
ydyuyu
 
Russian Call girls in Abu Dhabi 0508644382 Abu Dhabi Call girls
Russian Call girls in Abu Dhabi 0508644382 Abu Dhabi Call girlsRussian Call girls in Abu Dhabi 0508644382 Abu Dhabi Call girls
Russian Call girls in Abu Dhabi 0508644382 Abu Dhabi Call girls
Monica Sydney
 

Último (20)

Vip Firozabad Phone 8250092165 Escorts Service At 6k To 30k Along With Ac Room
Vip Firozabad Phone 8250092165 Escorts Service At 6k To 30k Along With Ac RoomVip Firozabad Phone 8250092165 Escorts Service At 6k To 30k Along With Ac Room
Vip Firozabad Phone 8250092165 Escorts Service At 6k To 30k Along With Ac Room
 
Indian Escort in Abu DHabi 0508644382 Abu Dhabi Escorts
Indian Escort in Abu DHabi 0508644382 Abu Dhabi EscortsIndian Escort in Abu DHabi 0508644382 Abu Dhabi Escorts
Indian Escort in Abu DHabi 0508644382 Abu Dhabi Escorts
 
一比一原版奥兹学院毕业证如何办理
一比一原版奥兹学院毕业证如何办理一比一原版奥兹学院毕业证如何办理
一比一原版奥兹学院毕业证如何办理
 
原版制作美国爱荷华大学毕业证(iowa毕业证书)学位证网上存档可查
原版制作美国爱荷华大学毕业证(iowa毕业证书)学位证网上存档可查原版制作美国爱荷华大学毕业证(iowa毕业证书)学位证网上存档可查
原版制作美国爱荷华大学毕业证(iowa毕业证书)学位证网上存档可查
 
2nd Solid Symposium: Solid Pods vs Personal Knowledge Graphs
2nd Solid Symposium: Solid Pods vs Personal Knowledge Graphs2nd Solid Symposium: Solid Pods vs Personal Knowledge Graphs
2nd Solid Symposium: Solid Pods vs Personal Knowledge Graphs
 
Mira Road Housewife Call Girls 07506202331, Nalasopara Call Girls
Mira Road Housewife Call Girls 07506202331, Nalasopara Call GirlsMira Road Housewife Call Girls 07506202331, Nalasopara Call Girls
Mira Road Housewife Call Girls 07506202331, Nalasopara Call Girls
 
Call girls Service in Ajman 0505086370 Ajman call girls
Call girls Service in Ajman 0505086370 Ajman call girlsCall girls Service in Ajman 0505086370 Ajman call girls
Call girls Service in Ajman 0505086370 Ajman call girls
 
APNIC Updates presented by Paul Wilson at ARIN 53
APNIC Updates presented by Paul Wilson at ARIN 53APNIC Updates presented by Paul Wilson at ARIN 53
APNIC Updates presented by Paul Wilson at ARIN 53
 
Real Men Wear Diapers T Shirts sweatshirt
Real Men Wear Diapers T Shirts sweatshirtReal Men Wear Diapers T Shirts sweatshirt
Real Men Wear Diapers T Shirts sweatshirt
 
Top profile Call Girls In Dindigul [ 7014168258 ] Call Me For Genuine Models ...
Top profile Call Girls In Dindigul [ 7014168258 ] Call Me For Genuine Models ...Top profile Call Girls In Dindigul [ 7014168258 ] Call Me For Genuine Models ...
Top profile Call Girls In Dindigul [ 7014168258 ] Call Me For Genuine Models ...
 
pdfcoffee.com_business-ethics-q3m7-pdf-free.pdf
pdfcoffee.com_business-ethics-q3m7-pdf-free.pdfpdfcoffee.com_business-ethics-q3m7-pdf-free.pdf
pdfcoffee.com_business-ethics-q3m7-pdf-free.pdf
 
一比一原版(Flinders毕业证书)弗林德斯大学毕业证原件一模一样
一比一原版(Flinders毕业证书)弗林德斯大学毕业证原件一模一样一比一原版(Flinders毕业证书)弗林德斯大学毕业证原件一模一样
一比一原版(Flinders毕业证书)弗林德斯大学毕业证原件一模一样
 
Nagercoil Escorts Service Girl ^ 9332606886, WhatsApp Anytime Nagercoil
Nagercoil Escorts Service Girl ^ 9332606886, WhatsApp Anytime NagercoilNagercoil Escorts Service Girl ^ 9332606886, WhatsApp Anytime Nagercoil
Nagercoil Escorts Service Girl ^ 9332606886, WhatsApp Anytime Nagercoil
 
Story Board.pptxrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrr
Story Board.pptxrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrStory Board.pptxrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrr
Story Board.pptxrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrr
 
在线制作约克大学毕业证(yu毕业证)在读证明认证可查
在线制作约克大学毕业证(yu毕业证)在读证明认证可查在线制作约克大学毕业证(yu毕业证)在读证明认证可查
在线制作约克大学毕业证(yu毕业证)在读证明认证可查
 
Best SEO Services Company in Dallas | Best SEO Agency Dallas
Best SEO Services Company in Dallas | Best SEO Agency DallasBest SEO Services Company in Dallas | Best SEO Agency Dallas
Best SEO Services Company in Dallas | Best SEO Agency Dallas
 
Russian Call girls in Abu Dhabi 0508644382 Abu Dhabi Call girls
Russian Call girls in Abu Dhabi 0508644382 Abu Dhabi Call girlsRussian Call girls in Abu Dhabi 0508644382 Abu Dhabi Call girls
Russian Call girls in Abu Dhabi 0508644382 Abu Dhabi Call girls
 
Ballia Escorts Service Girl ^ 9332606886, WhatsApp Anytime Ballia
Ballia Escorts Service Girl ^ 9332606886, WhatsApp Anytime BalliaBallia Escorts Service Girl ^ 9332606886, WhatsApp Anytime Ballia
Ballia Escorts Service Girl ^ 9332606886, WhatsApp Anytime Ballia
 
20240510 QFM016 Irresponsible AI Reading List April 2024.pdf
20240510 QFM016 Irresponsible AI Reading List April 2024.pdf20240510 QFM016 Irresponsible AI Reading List April 2024.pdf
20240510 QFM016 Irresponsible AI Reading List April 2024.pdf
 
Tadepalligudem Escorts Service Girl ^ 9332606886, WhatsApp Anytime Tadepallig...
Tadepalligudem Escorts Service Girl ^ 9332606886, WhatsApp Anytime Tadepallig...Tadepalligudem Escorts Service Girl ^ 9332606886, WhatsApp Anytime Tadepallig...
Tadepalligudem Escorts Service Girl ^ 9332606886, WhatsApp Anytime Tadepallig...
 

Attacking and defending GraphQL applications: a hands-on approach

  • 1. Seattle | September 16-17, 2019 Attacking and defending GraphQL applications: a hands-on approach DAVIDE CIOCCIA STEFAN PETRUSHEVSKI
  • 2. Seattle | September 16-17, 2019 $id Davide Cioccia @davide107 david3107 Stefan Petrushevski @ztefan theztefan
  • 3. Seattle | September 16-17, 2019 Agenda • GraphQL basics: Query, Mutation, Subscription • Security Implications in GraphQL • Lab1: Introspection • Lab2: DoS • Lab3: Mutations • Lab4: IDOR and Authorization bypass • Lab5: Injections
  • 4. Seattle | September 16-17, 2019 GraphQL https://graphql.org/ A query language for your API GraphQL is a query language for APIs and a runtime for fulfilling those queries with your existing data. GraphQL provides a complete and understandable description of the data in your API, gives clients the power to ask for exactly what they need and nothing more, makes it easier to evolve APIs over time, and enables powerful developer tools.
  • 5. Seattle | September 16-17, 2019 GraphQL Optimizing the data fetching problem by switching from imperative to declarative data fetching
  • 6. Seattle | September 16-17, 2019 GraphQL vs REST API
  • 7. Seattle | September 16-17, 2019 GraphQL vs REST API
  • 8. Seattle | September 16-17, 2019 REST API GraphQL vs
  • 9. Seattle | September 16-17, 2019 Common use-case
  • 10. Seattle | September 16-17, 2019 GraphQL basics
  • 11. Seattle | September 16-17, 2019 Create a schema
  • 12. Seattle | September 16-17, 2019 Define an operation • Query • Mutation • Subscription
  • 13. Seattle | September 16-17, 2019 GraphQL query
  • 14. Seattle | September 16-17, 2019 GraphQL mutation
  • 15. Seattle | September 16-17, 2019 GraphQL subscription
  • 16. Seattle | September 16-17, 2019 LAB: GraphQL basics
  • 17. Seattle | September 16-17, 2019 Repo git clone https://github.com/david3107/graphql-security-labs cd lab3-mutation docker build . -t graphql/mutation && docker run -ti -p 5000:5000 graphql/mutation
  • 18. Seattle | September 16-17, 2019 Security Implications in GraphQL
  • 19. Seattle | September 16-17, 2019 What can go wrong • Introspection • DoS • Injections • Broken Authorization • Insecure Direct Object Reference (IDOR)
  • 20. Seattle | September 16-17, 2019 Introspection
  • 21. Seattle | September 16-17, 2019 What’s introspection • Allows us to ask a GraphQL schema for information about: • Queries • Mutations • Subscriptions • Types • Directives
  • 22. Seattle | September 16-17, 2019 What can we ask for • Querying all available types in a schema • __type • __typename • All available queries • queryType • deprecations • List of enumerator values • __type(name: "<ENUM TYPE>") • All types associated with an Interface or Union • __type(name: "<INTERFACE OR UNION TYPE>")
  • 23. Seattle | September 16-17, 2019 Ask for available types and queries
  • 24. Seattle | September 16-17, 2019 How can we abuse it? • Information disclosure • Sensitive information related to the objects • Retrieve “hidden” queries to bypass controls • Use it as a steppingstone for further attacks
  • 25. Seattle | September 16-17, 2019 How do we prevent it? • Disable introspection. D’oh! • Npm module • https://www.npmjs.com/package/graphql-disable-introspection • One Python hack class NoIntrospection(ValidationRule): def enter_Field(self, node, key, parent, path, ancestors): field_name = node.name.value if field_name == "__schema" or field_name == "__type": self.context.report_error( GraphQLError(u"GraphQL introspection is not allowed", [node]) )
  • 26. Seattle | September 16-17, 2019 LAB: Introspection
  • 27. Seattle | September 16-17, 2019 Repo git clone https://github.com/david3107/graphql-security-labs cd lab1-info-introspection docker build . -t graphql/intro && docker run -ti -p 5000:5000 graphql/intro
  • 28. Seattle | September 16-17, 2019 Challenges: DefDev social network
  • 29. Seattle | September 16-17, 2019 Architecture + +
  • 30. Seattle | September 16-17, 2019 DoS: Nested queries
  • 31. Seattle | September 16-17, 2019 Nested queries • Let’s consider the following schema
  • 32. Seattle | September 16-17, 2019 Nested queries
  • 33. Seattle | September 16-17, 2019 Nested queries: complexity calculation 9999 messages x 1 thread + 9999 messages x 1 thread + 9999 messages x 1 thread
  • 34. Seattle | September 16-17, 2019 Result
  • 35. Seattle | September 16-17, 2019 How do we prevent it? • Limit Maximum Query Depth • Calculate Query Complexity • Throttling Based on Server Time • Audit your query before production
  • 36. Seattle | September 16-17, 2019 Limit Maximum Query Depth
  • 37. Seattle | September 16-17, 2019 Limit Maximum Query Depth • Pros • Because the AST (Abstract Syntax Tree) is statically analyzed the query is never executed • Cons • It’s very difficult to cover all the possible query combinations
  • 38. Seattle | September 16-17, 2019 Calculate Query Complexity Allow only LOW query complexity. If we set query complexity to 4 this query would fail
  • 39. Seattle | September 16-17, 2019 Calculate Query Complexity • Pros • Covers more scenarios • Do not execute the query • Cons • Hard to maintain • Difficult to calculate • Mutations can be tricky :/
  • 40. Seattle | September 16-17, 2019 Audit your query before production • https://www.npmjs.com/package/graphql-validation-complexity • https://github.com/4Catalyzer/graphql-validation-complexity • https://github.com/slicknode/graphql-query-complexity
  • 41. Seattle | September 16-17, 2019 LAB: DoS
  • 42. Seattle | September 16-17, 2019 Repo git clone https://github.com/david3107/graphql-security-labs cd lab2-dos-resource-exhaustion docker build . -t graphql/dos && docker run -ti -p 5000:5000 graphql/dos
  • 43. Seattle | September 16-17, 2019 Goal • Take down that social network
  • 44. Seattle | September 16-17, 2019 Broken Authorization & Insecure Direct Object Reference (IDOR)
  • 45. Seattle | September 16-17, 2019 Quick recap on IDOR
  • 46. Seattle | September 16-17, 2019 So IDOR is a GraphQL problem ….but wrong implementation of GraphQL filtering functions can lead to IDOR vulnerabilities.
  • 47. Seattle | September 16-17, 2019 What can go wrong? • Mutations containing predictable IDs • Perform action on behalf of other users • Query to retrieve data about single elements • Retrieve other users' data
  • 48. Seattle | September 16-17, 2019 How do we discover IDOR? Step 1 • Use introspection to find all the available queries
  • 49. Seattle | September 16-17, 2019 How do we discover IDOR? Step 2 • For each query detect the associated Type • For each object print out the available Fields
  • 50. Seattle | September 16-17, 2019 How do we discover IDOR? Step 3 • For each object detect predictable element (Int, Enum, etc)
  • 51. Seattle | September 16-17, 2019 How do we discover IDOR? Step 4 • Try different values and see what happens :)
  • 52. Seattle | September 16-17, 2019 LAB: IDOR
  • 53. Seattle | September 16-17, 2019 Repo git clone https://github.com/david3107/graphql-security-labs cd lab4-IDOR docker build . -t graphql/idor && docker run -ti -p 5000:5000 graphql/idor
  • 54. Seattle | September 16-17, 2019 Goal • Use IDOR vulnerabilities to retrieve other users' private info • Authenticate as another user
  • 55. Seattle | September 16-17, 2019 Injections
  • 56. Seattle | September 16-17, 2019 Are Injections possible? • Yes, injections vulnerabilities are present • Yes, because of bad implementation (bad coding) • All web vulnerabilities are potentially present in GraphQL
  • 57. Seattle | September 16-17, 2019 How do we prevent Injections (and other)? • Use secure coding principles and practices
  • 58. Seattle | September 16-17, 2019 LAB: Injections
  • 59. Seattle | September 16-17, 2019 Repo git clone https://github.com/david3107/graphql-security-labs cd lab5-injections docker build . -t graphql/injection && docker run -ti –p 5000:5000 –p 1337:1337 graphql/injection
  • 60. Seattle | September 16-17, 2019 Architecture + +
  • 61. Seattle | September 16-17, 2019 Goal • Use the knowledge from previous labs (hint: introspection) • There are two different injection vulnerabilities in the lab. Exploit them to: • Get a remote shell on the machine (use port 1337) • Get the passwords of all administrator users
  • 62. Seattle | September 16-17, 2019 Thank you!
  • 63. Seattle | September 16-17, 2019 About defdev.eu • Defensive development – hardening developers • Hi-end secure development and S/SDLC trainings • handsons/labs, DIY testing/hacking, exams, certification • senior security testers and enterprise developers on stage • from mobile to mainframe • from C#, JS and Java to Go, Swift and Kotlin • from practical cybersec to security in CI/CD