apidays LIVE Paris - GraphQL: the AppSec perspective by Vladimir de Turckheim
Signaler
apidaysSuivre
17 Dec 2020•0 j'aime•224 vues
apidays LIVE Paris - GraphQL: the AppSec perspective by Vladimir de Turckheim
17 Dec 2020•0 j'aime•224 vues
Télécharger pour lire hors ligne
Signaler
Technologie
apidays LIVE Paris - Responding to the New Normal with APIs for Business, People and Society December 8, 9 & 10, 2020 GraphQL: the AppSec perspective Vladimir de Turckheim, Lead Node.js Engineer at Sqreen
apidaysSuivre
Recommandé
apidays LIVE Paris - GraphQL meshes by Jens Neuseapidays
apidays LIVE Paris - The Rise of GraphQL for database APIs by Karthic Raoapidays
apidays LIVE Paris - Augmenting a Legacy REST API with GraphQL by Clément Vil...apidays
apidays LIVE Paris - Bringing Cloud Native to a world of SaaS by Robert Wunde...apidays
apidays LIVE Paris - SDK driven GraphQL by Nader Dabitapidays
apidays LIVE Paris - Automation API Testing by Guillaume Jeannicapidays
Contenu connexe
Tendances
API Centric Development in PHPJoe Stagner
apidays LIVE Australia - Productising your Microservices as API Products by P...apidays
Trouble with Performance Debugging? Not Anymore with Choreo, the AI-Assisted ...WSO2
apidays LIVE Paris 2021 - Spatially enabling Web APIs through OGC Standards ...apidays
apidays LIVE Hong Kong 2021 - Multi-Protocol APIs at Scale in Adidas by Jesus...apidays
apidays LIVE Paris - Data with a mission: a COVID-19 API case study by Matt M...apidays
![[API World 2021 ] - Understanding Cloud Native Deployment](https://cdn.slidesharecdn.com/ss_thumbnails/eric-cloudnativeapideployment-211108112442-thumbnail.jpg?width=1600&height=908&fit=bounds)
![[apidays Live Australia] How do you enhance customer experience through event...](https://cdn.slidesharecdn.com/ss_thumbnails/shiro-eventdrivenapis-customerenhancement-roundtable1-210922093028-thumbnail.jpg?width=1600&height=908&fit=bounds)
Similaire à apidays LIVE Paris - GraphQL: the AppSec perspective by Vladimir de Turckheim
GraphQL-ify your APIs - Devoxx UK 2021Soham Dasgupta
All Change! How the new economics of Cloud will make you think differently ab...Steve Poole
Dapper: the microORM that will change your lifeDavide Mauri
(java2days) The Anatomy of Java VulnerabilitiesSteve Poole
AppeX and JavaScript Support Enhancements in Cincom SmalltalkESUG
Faster Secure Software Development with Continuous Deployment - PH Days 2013Nick Galbreath
Plus de apidays
apidays London 2023 - How APIs support the democratization of FAIR data and d...apidays
apidays London 2023 - Revolutionising fitness and well-being, David Turner, V...apidays
apidays London 2023 - Let's make "true" impact happen!, Sandra Sydow, Climate...apidays
apidays London 2023 - 7 pillars of an API Factory, Patrick Brosse, Amadeusapidays
apidays London 2023 - Meeting Relentless Business Change in a Post API Econom...apidays
apidays London 2023 - Overengineering Weakens your API Security, Dr. David Va...apidays
Dernier
10 reasons to choose Galaxy Tab S9 for work on the goSamsung Business USA
"Intro to Stateful Services or How to get 1 million RPS from a single node", ...Fwdays
GDSC ZHCET Google Study Jams 23.pdfAbhishekSingh313342
roomos_webinar_280923_v2.pptxThousandEyes
Take Control of Podcasting thanks to Open Source and Podcasting 2.0🎙 Benjamin Bellamy
Mastering Automation Quality: Exploring UiPath's Test Suite for Seamless Test...DianaGray10
apidays LIVE Paris - GraphQL: the AppSec perspective by Vladimir de Turckheim
- 1. GraphQL the AppSec perspective 2020-12 Get your white hat ready
- 2. VLADIMIR DE TURCKHEIM Lead Customer Engineer @ Sqreen : Node.js Collaborator : Node.js Security WG member : Former Cyber-Security consultant @vdeturckheim vladimir@sqreen.io @poledesfetes
- 3. I AM NOT A GRAPHQL EXPERT “booooo!” MY IMPOSTOR SYNDROME @poledesfetes
- 4. I do Web Application security @poledesfetes
- 7. I am also a developer @poledesfetes
- 8. GraphQL is just “another way to exchange data between a client and a server” @poledesfetes
- 9. As any abstraction, it is designed to make your life easier! @poledesfetes
- 10. But abstractions can make you forget about @poledesfetes implementation details
- 11. But abstractions can make you forget about @poledesfetes implementation details
- 13. @poledesfetes implementation details This is where the fun is!
- 14. But I am going too fast @poledesfetes
- 15. HOW WOULD ONE ATTACK A GRAPHQL APP? “Why is my hat turning grey?” NICE HACKERS @poledesfetes
- 16. Identifying that the application is using GraphQL @poledesfetes
- 17. @poledesfetes
- 18. Identifying use of GraphQL @poledesfetes Applications using GraphQL can easily be identified • Use of GraphQL-related libraries • POST requests to a /graphql endpoint • POST requests with GraphQL payloads
- 21. Abusing Introspection @poledesfetes GraphQL has introspection features. A simple query can be used to identify the schema
- 23. Introspection might be disabled @poledesfetes
- 24. @poledesfetes
- 25. I just need to identify the client-side libraries handling the schema @poledesfetes
- 26. (Part of) your schema is public. @poledesfetes
- 27. What to do with the schema now? @poledesfetes
- 28. @poledesfetes
- 29. String injections @poledesfetes Injecting strings can lead to: • SQL injections • Shell injections • Eval injections • XSS
- 30. The methods to protects against these attacks are the same in GraphQL than any other protocol. @poledesfetes
- 32. @poledesfetes
- 34. GraphQL object injection @poledesfetes GraphQL by default is not object-injectable The custom scalar feature can be open the door to such vulnerabilities
- 35. GraphQL object injection @poledesfetes The JSON customs scalar type is very popular. It can be a vector for object injections. Object injections can lead to NoSQL injections.
- 36. A WORD ABOUT USERS “Authentication, Authorisation, ACL” ME, JUST DROPPING KEYWORDS @poledesfetes
- 37. It is very easy to do a mistake @poledesfetes
- 38. User management mistakes @poledesfetes It is very tempting to make GraphQL resolvers pure in the sense that they would be not context-aware. Thinking this way can lead to exposing the whole user database.
- 39. Anything linked to users must be checked @poledesfetes
- 40. Because of the single endpoint, you can’t do per endpoint authentication @poledesfetes well, you could have 2 GraphQL endpoints but…
- 41. All code must be user-aware @poledesfetes
- 42. User-aware @poledesfetes For each query, you must check: • Endpoint rights - is this user allowed to perform this operation? • Data-related rights - is this user allowed to access the outcome of the operation?
- 43. A FEW BEST PRACTICES AND GOTCHAS “Wait, there is a last part?” SOMEONE WHO EXPECTED THE TALK TO BE SHORTER @poledesfetes
- 45. Limit query depth to prevent DoS @poledesfetes
- 47. Sit with the schema, identify anything sensitive Log everything in the resolvers @poledesfetes
- 48. Highly untrust custom scalars @poledesfetes
- 49. Sqreen to release GraphQL support @poledesfetes Wednesday Dec 16th: Node.js Feb 2021: Ruby You can already use most of it
- 50. THANKS FOR YOUR ATTENTION! Let’s keep in touch! vlad@sqreen.com @poledesfetes @poledesfetes I’ll share the slides on Twitter today