GraphQL Security

OWASP YVR 2020

 Hello!

I’m Don Burks

Technical Lead @ Sphere
You can find me at @don_burks

2
 Some
Assumptions
You understand what GraphQL is…
and isn’t.
There is an implementation of GraphQL in
your present or near future
AppSec is something you know is important.
3
 “
Just because
it is new,
that does not
mean that
it is secure.

4
 “
Ask the MongoDB
community.

https://zdnet3.cbsistatic.com/hub/i/r/2018/02/16/8abdb3e1-47bc-446e-9871-c4e11a46f680/resize/470xauto/2ea638bf5532abe5081dabb0f
becbc2d/mongo-db-logo.png
5
 Tips for securing your GraphQL
◈ Route change

◈ Introspection

◈ Authentication

◈ Depth / Complexity

◈ Schema generation
6
Route Change
Many things we do as developers are
conventions, not requirements

7
/graphql /fluffybunny
This is the default. It is a Not a standardly enumerated
convention that has been route. Works just as well as
adopted as the go-to the default. Neither the
endpoint for all GraphQL client, nor the server, is going
implementations. to care what route the
request comes in on, as long
as it is a well-formed request.
This makes it a target.

8
 Trust
the bunny

https://vignette.wikia.nocookie.net/hoodwinked/images/3/35/Hoodwinked_boingo_evil_glare.
9
 ALSO!

Disable /graphiql

Yes, in all env’s.

Tools such as graphql-ide or Insomnia

are better.

10
Introspection
Great when you’re alone. Not so great when
you’re standing in front of 7 billion people.

11
Disable introspection in your testing and
production environments.

◈ Apollo and fastify-gql now do this by default

(in prod)
◈ Test for introspection leakiness in your
testing env

12
Authentication
This tends to be a big mistake I see in new
GraphQL implementations.

13
 Layers of Authentication

JWT ACL Edges

JSON Web Tokens Access Control means Don’t forget to add
passed in the that admin queries are auth and / or ACL to
Authorization header restricted to admin the resolvers that
can be checked at the accounts. It means facilitate your edges.
context level with resource ownership A malicious attacker
each query. and / or edit could easily exploit
privileges are this to access leaky
checked. data.
Just like an API.
14
type User { type Post {

id: ID id: ID

email: String title: String

username: String body: String

admin: Boolean author: User

createdAt: String createdAt: String

updatedAt: String updatedAt: String

lastLogin: String }

15
Post: {
author: (post) => {
return someDB.select(“*”).
.from(“users”)
.where(“id”, post.author_id)
.limit(1);
})
}

16
Post: {
author: (post, args, context) => {
if (context.user.admin || context.user.id
=== post.author_id) {
return someDB.select(“*”).
.from(“users”)
.where(“id”, post.author_id)
.limit(1);
}
})
}

17
Depth / Complexity
Easier than you think.
More important than you realize.

18
 Different types of complicated queries

Depth Complexity
Is the number of edges your Some queries may have
query is trying to access. extreme complexity to them,
and should be evaluated
accordingly. This involves
Too much depth can DDOS
queries doing heavy joins,
your server due to
aggregations, or retrieving
overloading your data store.
data from external APIs.

19
query {
users {
posts {
user {
posts {
user {
posts {
user {
posts {
id
}
}
}
}
}
}
}
}
}
20
query {
users(first: 50) { 50 Nodes
posts(last: 10) { + 50 * 10 Nodes
id
title = 550 Nodes
body
}
}
}

21
query {
users(first: 5000) { 5000 Nodes
posts(last: 100) { + 5000 * 100 Nodes
id
title
body
}
}
}

= 505,000 Nodes!!!
22
 5
If your query is deeper than this, I’m not
sure that query depth is your biggest issue.

23
Schema Generation
Hey, this is so cool!
It hacked my site for me!

24
 If it seems
magical,
It is
probably
dangerous

25
https://live.staticflickr.com/3793/10178307913_91956693a1_b.jpg
 Generators

One of the more dangerous approaches to

implementing GraphQL by using a tool to
auto-generate the SDL.
◈ Translates all SQL table fields into SDL
schema fields
◈ Auto-creates queries and mutations to
accomplish CRUD functions

26
 REST with SPRINKLES!!

https://img.webmd.com/dtmcms/live/webmd/consumer_assets/site_images/article_thumbnail
s/recipes/chocolate_pudding_sprinkle_cones_recipe/650x350_chocolate_pudding_sprinkle_c
ones_recipe.jpg 27
 Design your SDL Schema, don’t generate it!

SDL Queries

Mutations

28
You get the opportunity to CRAFT your schema

Data you Data that

GraphQL
Have Client Needs

29
 Summary
◈ Send your authenticated query...
◈ To a back-end with a thoughtful schema...

◈ Where the depth and complexity are evaluated...

◈ And the endpoint is non-standard...

◈ Before you start thinking that you’re secure.

30
 Thanks!

Any questions?

You can find me at:

@don_burks · donburks.com
https://sphere.guide

31