Scribd
Upload
37 views

Access Control Vulnerabilities in Graphql Apis: Nikita Stupin

The document discusses GraphQL APIs and access control vulnerabilities. It begins with an overview of GraphQL, including what it is, basic queries, and introspection. Next, tools for analyzing GraphQL APIs like GraphiQL, Burp, and GraphQL Voyager are presented. Examples of access control vulnerabilities found in bug bounty programs are then discussed. The presentation concludes with ideas for further research on traversing GraphQL schemas with different credentials and automatically building all possible query paths.

Uploaded by

ratata ratata
Copyright
© © All Rights Reserved
Available Formats
Download as PDF, TXT or read online on Scribd
37 views

Access Control Vulnerabilities in Graphql Apis: Nikita Stupin

The document discusses GraphQL APIs and access control vulnerabilities. It begins with an overview of GraphQL, including what it is, basic queries, and introspection. Next, tools for analyzing GraphQL APIs like GraphiQL, Burp, and GraphQL Voyager are presented. Examples of access control vulnerabilities found in bug bounty programs are then discussed. The presentation concludes with ideas for further research on traversing GraphQL schemas with different credentials and automatically building all possible query paths.

Uploaded by

ratata ratata
Copyright
© © All Rights Reserved
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 16

Access control vulnerabilities in

GraphQL APIs
Nikita Stupin
Mail.Ru Group

Moscow, 18 June 2019

1
Agenda

1. GraphQL overview
1. What is GraphQL?
2. Basic GraphQL queries
3. Introspection
2. Tools for analyzing GraphQL
1. GraphiQL / Burp (curl)
2. GraphQL Voyager
3. Bug Bounty examples
4. Ideas for further research
5. Q&A
What is GraphQL?

• Query language to fetch and modify


data
• Used in web applications
• Tries to solve the problems of the
REST API
• Data over-fetching
• Data under-fetching

Image source: https://medium.com/devschacht/esteban-herrera-5-reasons-you-shouldnt-use-graphql-bae94ab105bc


3
Perfect world

Image source: https://www.howtographql.com/basics/3-big-picture/


4
Real world

Image source: https://www.howtographql.com/basics/3-big-picture/


5
The query, the mutation and the subscription

Image source: https://www.howtographql.com/basics/2-core-concepts/ 6


The query, the mutation and the subscription

Image source: https://www.howtographql.com/basics/2-core-concepts/ 7


8
Burp

9
GraphiQL

10
GraphQL Voyager

11
Broken edges

13
Ideas for further research

• Schema is a graph. Traverse it with


different credentials and compare the
results
• Visual monitoring of schema changes
https://github.com/APIs-guru/graphql-
voyager/issues/113
• Automatically build all possible paths
to certain object or property

Image source: https://memegenerator.net/img/images/300x300/11451809.jpg


14
Links

• “GraphQL Voyager as a tool for API security testing” (EN, RU)


https://nikitastupin.github.io/#references-to-articles-and-write-ups
• GraphQL from zero to hero (highly practical)
https://www.howtographql.com/
• Good elaboration of certain topic (more theoretical)
https://graphql.org/learn/
• GraphiQL https://github.com/graphql/graphiq
• GraphQL Voyager https://github.com/APIs-guru/graphql-voyager
• Toolset that can automatically generate queries
https://github.com/doyensec/graph-ql
15
Questions?

_nikitastupin

nikitastupin

n.stupin@corp.mail.ru

16

You might also like