book

Black Hat GraphQL

by Nick Aleks, Dolev Farhi

May 2023

Intermediate to advanced

320 pages

7h 42m

English

No Starch Press

Read now

Unlock full access

Title Page
Copyright
About the Authors
Foreword
Acknowledgments
Introduction
Who This Book Is ForThe Book’s Lab and Code RepositoryWhat’s in This Book
Chapter 1: A Primer on GraphQL
The BasicsOriginsUse CasesSpecificationHow Do Communications Work?The SchemaQueriesThe Query Parser and Resolver FunctionsWhat Problems Does GraphQL Solve?GraphQL APIs vs. REST APIsThe REST ExampleThe GraphQL ExampleOther DifferencesYour First QuerySummary
Chapter 2: Setting Up a GraphQL Security Lab
Taking Security PrecautionsInstalling KaliInstalling Web ClientsQuerying from the Command Line with cURLQuerying from a GUI with AltairSetting Up a Vulnerable GraphQL ServerInstalling DockerDeploying the Damn Vulnerable GraphQL ApplicationTesting DVGAInstalling GraphQL Hacking ToolsBurp SuiteClairvoyanceInQLGraphw00fBatchQLNmapCommixgraphql-path-enumEyeWitnessGraphQL CopCrackQLSummary
Chapter 3: The GraphQL Attack Surface
What Is an Attack Surface?The LanguageQueries, Mutations, and SubscriptionsOperation NamesFieldsArgumentsAliasesFragmentsVariablesDirectivesData TypesObjectsScalarsEnumsUnionsInterfacesInputsIntrospectionValidation and ExecutionCommon WeaknessesSpecification Rule and Implementation WeaknessesDenial of ServiceInformation DisclosureAuthentication and Authorization FlawsInjectionsSummary
Chapter 4: Reconnaissance
Detecting GraphQLCommon EndpointsCommon ResponsesNmap ScansThe __typename FieldGraphw00fDetecting GraphiQL Explorer and GraphQL PlaygroundScanning for Graphical Interfaces with EyeWitnessAttempting a Query Using Graphical ClientsQuerying GraphQL by Using IntrospectionVisualizing Introspection with GraphQL VoyagerGenerating Introspection Documentation with SpectaQLExploring Disabled IntrospectionFingerprinting GraphQLDetecting Servers with Graphw00fAnalyzing ResultsSummary

Chapter 5: Denial of Service
GraphQL DoS VectorsCircular QueriesCircular Relationships in GraphQL SchemasHow to Identify Circular RelationshipsCircular Query VulnerabilitiesCircular Introspection VulnerabilitiesCircular Fragment VulnerabilitiesField DuplicationUnderstanding How Field Duplication WorksTesting for Field Duplication VulnerabilitiesAlias OverloadingAbusing Aliases for Denial of ServiceChaining Aliases and Circular QueriesDirective OverloadingAbusing Directives for Denial of ServiceTesting for Directive OverloadingObject Limit OverridingArray-Based Query BatchingUnderstanding How Array-Based Query Batching WorksTesting for Array-Based Query BatchingChaining Circular Queries and Array-Based Query BatchingDetecting Query Batching by Using BatchQLPerforming a DoS Audit with GraphQL CopDenial-of-Service Defenses in GraphQLQuery Cost AnalysisQuery Depth LimitsAlias and Array-Based Batching LimitsField Duplication LimitsLimits on the Number of Returned RecordsQuery Allow ListsAutomatic Persisted QueriesTimeoutsWeb Application FirewallsGateway ProxiesSummary
Chapter 6: Information Disclosure
Identifying Information Disclosure Vectors in GraphQLAutomating Schema Extraction with InQLOvercoming Disabled IntrospectionDetecting Disabled IntrospectionExploiting Non-production EnvironmentsExploiting the __type Meta-fieldUsing Field SuggestionsUnderstanding the Edit-Distance AlgorithmOptimizing Field Suggestion UseConsidering Security DevelopmentsUsing Field StuffingType Stuffing in the __type Meta-fieldAutomating Field Suggestion and Stuffing Using ClairvoyanceAbusing Error MessagesExploring Excessive Error MessagingEnabling DebuggingInferring Information from Stack TracesLeaking Data by Using GET-Based QueriesSummary
Chapter 7: Authentication and Authorization Bypasses
The State of Authentication and Authorization in GraphQLIn-Band vs. Out-of-BandCommon ApproachesAuthentication TestingDetecting the Authentication LayerBrute-Forcing Passwords by Using Query BatchingBrute-Forcing Passwords with CrackQLUsing Allow-Listed Operation NamesForging and Leaking JWT CredentialsAuthorization TestingDetecting the Authorization LayerEnumerating Paths with graphql-path-enumBrute-Forcing Arguments and Fields with CrackQLSummary
Chapter 8: Injection
Injection Vulnerabilities in GraphQLThe Blast Radius of Malicious InputThe OWASP Top 10The Injection SurfaceQuery ArgumentsField ArgumentsQuery Directive ArgumentsOperation NamesInput Entry PointsSQL InjectionUnderstanding the Types of SQL InjectionTesting for SQLiTesting DVGA for SQLi with Burp SuiteAutomating SQL InjectionOperating System Command InjectionAn ExampleManual Testing in DVGAAutomated Testing with CommixCode Review of a Resolver FunctionCross-Site ScriptingReflected XSSStored XSSDOM-Based XSSTesting for XSS in DVGASummary
Chapter 9: Request Forgery and Hijacking
Cross-Site Request ForgeryLocating State-Changing ActionsTesting for POST-Based VulnerabilitiesAutomatically Submitting a CSRF FormTesting for GET-Based VulnerabilitiesUsing HTML InjectionAutomating Testing with BatchQL and GraphQL CopPreventing CSRFServer-Side Request ForgeryUnderstanding the Types of SSRFSearching for Vulnerable Operations, Fields, and ArgumentsTesting for SSRFPreventing SSRFCross-Site WebSocket HijackingFinding Subscription OperationsHijacking a Subscription QueryPreventing CSWSHSummary
Chapter 10: Disclosed Vulnerabilities and Exploits
Denial of ServiceA Large Payload (HackerOne)Regular Expressions (CS Money)A Circular Introspection Query (GitLab)Aliases for Field Duplication (Magento)Array-Based Batching for Field Duplication (WPGraphQL)Circular Fragments (Agoo)Broken AuthorizationAllowing Data Access to Deactivated Users (GitLab)Allowing an Unprivileged Staff Member to Modify a Customer’s Email (Shopify)Disclosing the Number of Allowed Hackers Through a Team Object (HackerOne)Reading Private Notes (GitLab)Disclosing Payment Transaction Information (HackerOne)Information DisclosureEnumerating GraphQL Users (GitLab)Accessing the Introspection Query via WebSocket (Nuri)InjectionSQL Injection in a GET Query Parameter (HackerOne)SQL Injection in an Object Argument (Apache SkyWalking)Cross-Site Scripting (GraphQL Playground)Cross-Site Request Forgery (GitLab)Summary
Appendix A: GraphQL API Testing Checklist
ReconnaissanceDenial of ServiceInformation DisclosureAuthentication and AuthorizationInjectionForging RequestsHijacking Requests
Appendix B: GraphQL Security Resources
Penetration Testing Tips and TricksHands-on Hacking LabsSecurity Videos
Index

Content preview from Black Hat GraphQL

7 Authentication and Authorization Bypasses

Out of the box, GraphQL has no authentication or authorization controls. As a result, the ecosystem has created its own or adopted those seen in traditional systems. In this chapter, we’ll cover the common GraphQL authentication and authorization implementations. Then we’ll discuss attacks that target some of their weaknesses.

Authentication is the mechanism by which a client proves their identity to a server. It answers the question: Is the user really who they say they are? Authentication attacks target a client’s identity, attempting to either steal credentials or spoof them to authenticate ...

Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
and much more.

Read now

Unlock full access

More than 5,000 organizations count on O’Reilly

O’Reilly covers everything we've got, with content to help us build a world-class technology community, upgrade the capabilities and competencies of our teams, and improve overall team performance as well as their engagement.

Julian F.

Head of Cybersecurity

I wanted to learn C and C++, but it didn't click for me until I picked up an O'Reilly book. When I went on the O’Reilly platform, I was astonished to find all the books there, plus live events and sandboxes so you could play around with the technology.

Addison B.

Field Engineer

I’ve been on the O’Reilly platform for more than eight years. I use a couple of learning platforms, but I'm on O'Reilly more than anybody else. When you're there, you start learning. I'm never disappointed.

Amir M.

Data Platform Tech Lead

I'm always learning. So when I got on to O'Reilly, I was like a kid in a candy store. There are playlists. There are answers. There's on-demand training. It's worth its weight in gold, in terms of what it allows me to do.

Mark W.

Embedded Software Engineer

Publisher Resources

ISBN: 9781098156831

Cloud Computing

Data Engineering

Data Science

AI & ML

Programming Languages

Software Architecture

IT/Ops

Security

Design

Business

Soft Skills

Black Hat GraphQL

by Nick Aleks, Dolev Farhi

7 Authentication and Authorization Bypasses

Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
and much more.