APIsecure 2023 - The world's first and only API security conference
March 14 & 15, 2023
Escape Workshop: "Discovering GraphQL Vulnerabilities in the Wild"
Tristan Kalos, Co-founder & CEO at Escape
Antoine Carossio, Co-founder & CTO at Escape
------
Check out our conferences at https://www.apidays.global/
Do you want to sponsor or talk at one of our conferences?
https://apidays.typeform.com/to/ILJeAaV8
Learn more on APIscene, the global media made by the community for the community:
https://www.apiscene.io
Explore the API ecosystem with the API Landscape:
https://apilandscape.apiscene.io/
VIP Model Call Girls Hadapsar ( Pune ) Call ON 9905417584 Starting High Prof...
APIsecure 2023 - Discovering GraphQL Vulnerabilities in the Wild, Tristan Kalos & Antoine Carossio, Escape
1. Live GraphQL Security Testing
escape.tech
Discovering GraphQL Vulnerabilities in the Wild
2. Who Am I
Tristan Kalos
Co-founder & CEO @ Escape – GraphQL Security
+
Engineer in Operations Research & MBA
Researcher in Machine Learning Applied to Source Code
🛠 Loved GraphQL but struggled to secure it
✉
tristan@escape.tech
@tristankalos
3. About Escape - GraphQL Security
We created the first fully-featured automated GraphQL Security Testing tool & have an in-house
research team on the topic.
https://app.escape.tech/
10. 1. Finding GraphQL endpoints in the internet
2. Testing endpoints for advanced security flaws
3. Our results
11. How to find public GraphQL endpoints on the internet?
Step 1: buy a cheap list of domains
12. How to find public GraphQL endpoints on the internet?
Step 2: use our open source GraphQL endpoint finder
https://github.com/Escape-Technologies/goctopus
13. How to find public GraphQL endpoints on the internet?
But….
We have 1.2M domains. It’s too slow.
https://github.com/Escape-Technologies/graphinder
14. How to find public GraphQL endpoints on the internet?
Step 3: Make a faster version, in golang.
https://github.com/Escape-Technologies/goctopus
We now have 2449 public
GraphQL endpoints
39. Top vulnerability 1: Limit Batching and Aliasing
Batching: Multiple GraphQL
Queries in one HTTP Request
Aliasing: The same fields multiple
times with aliases
40. Top vulnerability 1: Limit Batching and Aliasing
The problem: can be used to bypass rate limiting on login mutations = Bruteforce attack
41. Top vulnerability 2: Directive Overloading
The problem: Directives are hard to process server side. Can be used to trigger DoS
150ms
100kb request 1 min
42. Top vulnerability 3: Recursive Fragments
Fragments: a piece of logic that can be shared between multiple queries
43. Top vulnerability 3: Recursive Fragments
The problem: What if a fragment calls itself? Oops, you got an infinite recursion.
44. Top vulnerability 4: Field suggestion schema leak
The problem: Endpoints with disabled introspection still leaks underlying API Schema through field
suggestion
45. No introspection? Disable field suggestion
The problem: Endpoints with disabled introspection still leaks underlying API Schema through field
suggestion
using open source tool Clairvoyance, anybody can build back the full Schema.
46. Summary about common GraphQL vulnerabilities:
1. Batching and Aliasing Attacks
2. Directive Overloading
3. Recursive Fragments
4. Field suggestion leaking Schema
To go further:
https:/
/escape.tech/blog/pentest101/
51. Conclusion:
● found and scanned 1500 Public GraphQL
endpoints in the wild
● Highlighted numerous vulnerabilities, most
frequently GraphQL Specific, but not only
● Access control flaws and secret leaking are *very*
frequent in GraphQL