Black Hat GraphQL

Black Hat GraphQL

by Nick Aleks, Dolev Farhi
Released May 2023
Publisher(s): No Starch Press
ISBN: 9781718502840

Read it now on the O’Reilly learning platform with a 10-day free trial.

O’Reilly members get unlimited access to books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.

Start your free trial

Book description

Black Hat GraphQL is for anyone interested in learning how to break and protect GraphQL APIs with the aid of offensive security testing. Whether you’re a penetration tester, security analyst, or software engineer, you’ll learn how to attack GraphQL APIs, develop hardening procedures, build automated security testing into your development pipeline, and validate controls, all with no prior exposure to GraphQL required.

Following an introduction to core concepts, you’ll build your lab, explore the difference between GraphQL and REST APIs, run your first query, and learn how to create custom queries.

You’ll also learn how to:

•Use data collection and target mapping to learn about targets
•Defend APIs against denial-of-service attacks and exploit insecure configurations in GraphQL servers to gather information on hardened targets
•Impersonate users and take admin-level actions on a remote server
•Uncover injection-based vulnerabilities in servers, databases, and client browsers
•Exploit cross-site and server-side request forgery vulnerabilities, as well as cross-site WebSocket hijacking, to force a server to request sensitive information on your behalf
•Dissect vulnerability disclosure reports and review exploit code to reveal how vulnerabilities have impacted large companies

This comprehensive resource provides everything you need to defend GraphQL APIs and build secure applications. Think of it as your umbrella in a lightning storm.

Table of contents

  1. Title Page
  2. Copyright
  3. About the Authors
  4. Foreword
  5. Acknowledgments
  6. Introduction
    1. Who This Book Is For
    2. The Book’s Lab and Code Repository
    3. What’s in This Book
  7. Chapter 1: A Primer on GraphQL
    1. The Basics
      1. Origins
      2. Use Cases
      3. Specification
    2. How Do Communications Work?
      1. The Schema
      2. Queries
      3. The Query Parser and Resolver Functions
    3. What Problems Does GraphQL Solve?
    4. GraphQL APIs vs. REST APIs
      1. The REST Example
      2. The GraphQL Example
      3. Other Differences
    5. Your First Query
    6. Summary
  8. Chapter 2: Setting Up a GraphQL Security Lab
    1. Taking Security Precautions
    2. Installing Kali
    3. Installing Web Clients
      1. Querying from the Command Line with cURL
      2. Querying from a GUI with Altair
    4. Setting Up a Vulnerable GraphQL Server
      1. Installing Docker
      2. Deploying the Damn Vulnerable GraphQL Application
      3. Testing DVGA
    5. Installing GraphQL Hacking Tools
      1. Burp Suite
      2. Clairvoyance
      3. InQL
      4. Graphw00f
      5. BatchQL
      6. Nmap
      7. Commix
      8. graphql-path-enum
      9. EyeWitness
      10. GraphQL Cop
      11. CrackQL
    6. Summary
  9. Chapter 3: The GraphQL Attack Surface
    1. What Is an Attack Surface?
    2. The Language
      1. Queries, Mutations, and Subscriptions
      2. Operation Names
      3. Fields
      4. Arguments
      5. Aliases
      6. Fragments
      7. Variables
      8. Directives
    3. Data Types
      1. Objects
      2. Scalars
      3. Enums
      4. Unions
      5. Interfaces
      6. Inputs
    4. Introspection
    5. Validation and Execution
    6. Common Weaknesses
      1. Specification Rule and Implementation Weaknesses
      2. Denial of Service
      3. Information Disclosure
      4. Authentication and Authorization Flaws
      5. Injections
    7. Summary
  10. Chapter 4: Reconnaissance
    1. Detecting GraphQL
      1. Common Endpoints
      2. Common Responses
      3. Nmap Scans
      4. The __typename Field
      5. Graphw00f
    2. Detecting GraphiQL Explorer and GraphQL Playground
      1. Scanning for Graphical Interfaces with EyeWitness
      2. Attempting a Query Using Graphical Clients
    3. Querying GraphQL by Using Introspection
      1. Visualizing Introspection with GraphQL Voyager
      2. Generating Introspection Documentation with SpectaQL
      3. Exploring Disabled Introspection
    4. Fingerprinting GraphQL
      1. Detecting Servers with Graphw00f
      2. Analyzing Results
    5. Summary
  11. Chapter 5: Denial of Service
    1. GraphQL DoS Vectors
    2. Circular Queries
      1. Circular Relationships in GraphQL Schemas
      2. How to Identify Circular Relationships
      3. Circular Query Vulnerabilities
      4. Circular Introspection Vulnerabilities
      5. Circular Fragment Vulnerabilities
    3. Field Duplication
      1. Understanding How Field Duplication Works
      2. Testing for Field Duplication Vulnerabilities
    4. Alias Overloading
      1. Abusing Aliases for Denial of Service
      2. Chaining Aliases and Circular Queries
    5. Directive Overloading
      1. Abusing Directives for Denial of Service
      2. Testing for Directive Overloading
    6. Object Limit Overriding
    7. Array-Based Query Batching
      1. Understanding How Array-Based Query Batching Works
      2. Testing for Array-Based Query Batching
      3. Chaining Circular Queries and Array-Based Query Batching
      4. Detecting Query Batching by Using BatchQL
    8. Performing a DoS Audit with GraphQL Cop
    9. Denial-of-Service Defenses in GraphQL
      1. Query Cost Analysis
      2. Query Depth Limits
      3. Alias and Array-Based Batching Limits
      4. Field Duplication Limits
      5. Limits on the Number of Returned Records
      6. Query Allow Lists
      7. Automatic Persisted Queries
      8. Timeouts
      9. Web Application Firewalls
      10. Gateway Proxies
    10. Summary
  12. Chapter 6: Information Disclosure
    1. Identifying Information Disclosure Vectors in GraphQL
    2. Automating Schema Extraction with InQL
    3. Overcoming Disabled Introspection
      1. Detecting Disabled Introspection
      2. Exploiting Non-production Environments
      3. Exploiting the __type Meta-field
    4. Using Field Suggestions
      1. Understanding the Edit-Distance Algorithm
      2. Optimizing Field Suggestion Use
      3. Considering Security Developments
    5. Using Field Stuffing
    6. Type Stuffing in the __type Meta-field
    7. Automating Field Suggestion and Stuffing Using Clairvoyance
    8. Abusing Error Messages
      1. Exploring Excessive Error Messaging
      2. Enabling Debugging
      3. Inferring Information from Stack Traces
    9. Leaking Data by Using GET-Based Queries
    10. Summary
  13. Chapter 7: Authentication and Authorization Bypasses
    1. The State of Authentication and Authorization in GraphQL
      1. In-Band vs. Out-of-Band
      2. Common Approaches
    2. Authentication Testing
      1. Detecting the Authentication Layer
      2. Brute-Forcing Passwords by Using Query Batching
      3. Brute-Forcing Passwords with CrackQL
      4. Using Allow-Listed Operation Names
      5. Forging and Leaking JWT Credentials
    3. Authorization Testing
      1. Detecting the Authorization Layer
      2. Enumerating Paths with graphql-path-enum
      3. Brute-Forcing Arguments and Fields with CrackQL
    4. Summary
  14. Chapter 8: Injection
    1. Injection Vulnerabilities in GraphQL
      1. The Blast Radius of Malicious Input
      2. The OWASP Top 10
    2. The Injection Surface
      1. Query Arguments
      2. Field Arguments
      3. Query Directive Arguments
      4. Operation Names
    3. Input Entry Points
    4. SQL Injection
      1. Understanding the Types of SQL Injection
      2. Testing for SQLi
      3. Testing DVGA for SQLi with Burp Suite
      4. Automating SQL Injection
    5. Operating System Command Injection
      1. An Example
      2. Manual Testing in DVGA
      3. Automated Testing with Commix
      4. Code Review of a Resolver Function
    6. Cross-Site Scripting
      1. Reflected XSS
      2. Stored XSS
      3. DOM-Based XSS
      4. Testing for XSS in DVGA
    7. Summary
  15. Chapter 9: Request Forgery and Hijacking
    1. Cross-Site Request Forgery
      1. Locating State-Changing Actions
      2. Testing for POST-Based Vulnerabilities
      3. Automatically Submitting a CSRF Form
      4. Testing for GET-Based Vulnerabilities
      5. Using HTML Injection
      6. Automating Testing with BatchQL and GraphQL Cop
      7. Preventing CSRF
    2. Server-Side Request Forgery
      1. Understanding the Types of SSRF
      2. Searching for Vulnerable Operations, Fields, and Arguments
      3. Testing for SSRF
      4. Preventing SSRF
    3. Cross-Site WebSocket Hijacking
      1. Finding Subscription Operations
      2. Hijacking a Subscription Query
      3. Preventing CSWSH
    4. Summary
  16. Chapter 10: Disclosed Vulnerabilities and Exploits
    1. Denial of Service
      1. A Large Payload (HackerOne)
      2. Regular Expressions (CS Money)
      3. A Circular Introspection Query (GitLab)
      4. Aliases for Field Duplication (Magento)
      5. Array-Based Batching for Field Duplication (WPGraphQL)
      6. Circular Fragments (Agoo)
    2. Broken Authorization
      1. Allowing Data Access to Deactivated Users (GitLab)
      2. Allowing an Unprivileged Staff Member to Modify a Customer’s Email (Shopify)
      3. Disclosing the Number of Allowed Hackers Through a Team Object (HackerOne)
      4. Reading Private Notes (GitLab)
      5. Disclosing Payment Transaction Information (HackerOne)
    3. Information Disclosure
      1. Enumerating GraphQL Users (GitLab)
      2. Accessing the Introspection Query via WebSocket (Nuri)
    4. Injection
      1. SQL Injection in a GET Query Parameter (HackerOne)
      2. SQL Injection in an Object Argument (Apache SkyWalking)
      3. Cross-Site Scripting (GraphQL Playground)
    5. Cross-Site Request Forgery (GitLab)
    6. Summary
  17. Appendix A: GraphQL API Testing Checklist
    1. Reconnaissance
    2. Denial of Service
    3. Information Disclosure
    4. Authentication and Authorization
    5. Injection
    6. Forging Requests
    7. Hijacking Requests
  18. Appendix B: GraphQL Security Resources
    1. Penetration Testing Tips and Tricks
    2. Hands-on Hacking Labs
    3. Security Videos
  19. Index

Product information

  • Title: Black Hat GraphQL
  • Author(s): Nick Aleks, Dolev Farhi
  • Release date: May 2023
  • Publisher(s): No Starch Press
  • ISBN: 9781718502840