Attacking GraphQL: A guide for penetration testers - Keith Makan

Whats GraphQL? How do pwn it? And what do I write in my pentest report if I get this in a test? If these questions get your heart racing, fret not, this stalk is for you! GraphQL is at minimum, yet another API technology your company can get horribly wrong. The technology has grown considerably has an API interface technology in the last few years. With the growing interest, security engineering has been a keen focus for deployments because the technology is new, promises a lot (i.e. strict data typing, query batching and nesting, rapid adaptability etc.) and may not deliver the same impact in all environments or use cases. Futhermore, in the contemporary landscape there are a number of services, and open source projects that make this accessible each with their own set of complexities and pitfalls. With all these new fangled environments, a novel query language, and wildly variable backends, pentesters and security engineers need a good overview in order to navigate a security assessment or deployment. The talk here aims to provide guidance to pentesters in navigating these environments, using the open source and free tooling on offer and delivering a good quality penetration test against GraphQL environments. GraphQL was released and developed at Facebook just under 10 years ago, but has only really seen a surge in public interest over the latest 5 years of its life. Being adopted by the likes of Amazon AWS, Microsoft and IBM as well as many more big names. GraphQL grew rapidly due to its proactive approach to many problematic aspects of API deployment and design, namely: Data typing, Query formatting, Data Source independence and many others. Although providing a myriad of technological improvements deployments still suffer from common vulnerabilities and misconfigurations. Whats more beyond the vulnerabilities which stem from common misconfigurations, many security problems also source from complex integrations between traditional API tech (like REST, SOAP etc). In an effort to help users be aware of these problems the talk here will walk through many of the scenarios that may introduce vulnerability as well as ways they can avoid incurring more risk. In this talk, the speaker will talk through: (i) The recent history of GraphQL, its adoption rate, the innovations and APIs that currently make use of this tech. (ii) Common GraphQL setups and projects (what to expect in the wild) (iii) How to threat model a GraphQL deployment, where to expect things to go wrong. (iv) A detailed enumeration of common issues like Query batching, nesting, incorrect usage of the typing system and other problems - some of which will be supported by real world examples. (v) Exploitation patterns and tools that will enhance a penetration testers ability to assess and exploit vulnerabilities mentioned in the talk. ============================================================ Thanks to our AV sponsor Tenable for making these recordings possible.