Hacking GraphQL — Part 2
In part 1 of the Hacking GraphQL series, we discussed about the basics of GraphQL, In part 2 of this series, we’re going to try multiple attack vectors and see how adversaries can leverage them. In this post, we are going to use the same setup as part 1 of the series i.e. GraphQL Security Labs.
Denial of Service (DoS)
With GraphQL queries, we can ask for whatever we want, whenever we want. That’s the amazing part when working with API endpoints, but it also has some serious security implications and pitfalls. Instead of asking for legitimate, useful data, a malicious actor could submit an expensive, nested query to overload the server, database, network, or all of these. Without the right protection applications running GraphQL may open themselves up to a DoS (Denial of Service) attack.
For example, we have the following GraphQL query:
{
allpost{
edges{
node{
title
body
user{username}
}
}
}
}We get the following response:
As can be seen above, a user can have multiple posts and each post is assigned to a single user. In GraphQL language, each post has a user associated with it and each user can have multiple posts ( … and each post has a user … and so on…). The circular relationship could allow adversaries to construct an expensive nested query. Let’s see this in action!
Exploitation
Step 1: Create a malicious payload.
{
allUser{
edges{
node{
username
post{
edges{
node{
title
authorId
users{
username
post{
# ...repeat times 100000....
}
}
}
}
}
}
}
}
}Step 2: The payload will request nested user-post nodes. It’s worth noting the time taken for the response.
It should be noted that as the number of loops increases, the response time increases as well. Letting this kind of query through is very bad since it exponentially increases the number of objects loaded and may in some cases crash the entire server. Easy remediation against DoS could be to set a timeout or set a maximum depth for a given query or to set a query complexity threshold value.
Mitigation
Below are some ways to prevent a DoS from occurring:
- Limiting the query depth
- Disabling Introspection
- Conducting a query cost analysis
- Auditing the query before sending it to the server
We will be exploring injection attacks in Part 3 of the Hacking GraphQL series.
Stay safe, stay healthy and hack responsibly.
References:
- https://graphql.org/learn
- https://portswigger.net/burp
- https://apis.guru/graphql-voyager
- https://github.com/portswigger/graphql-raider
Redfox Security - is a diverse network of expert security consultants with a global mindset and a collaborative culture. With a combination of data-driven, research-based, and manual testing methodologies, we proudly deliver robust security solutions.
“Join us on our journey of growth and development by signing up for our comprehensive courses, if you want to excel in the field of cybersecurity.”
