Greeting Everyone! I hope everything Is going good , Today we are going to discuss Many of you GraphQL But How we need to secure GraphQL commons threads in GraphQ For those who don’t know what is GraphQL don’t worry we are going to look in it. Lets Start!
What is GraphQL?
In simple language GraphQL is query language which fetch data from database with interaction with Api. GraphQL is an open-source data query and manipulation language for APIs that now a days used in web application. GraphQL was developed by Facebook in 2012 and publicly released in 2015 now which is common source for our websites that powerful alternative to other web-services architectures REST Api.
GraphQL has some common endpoint which actually used in every source GraphQL that depands on only Endpoint as path some common end point ase as below:
Common Threads On GraphQL ?
- Failure to Appropriately Rate-limit
As we discuss GraphQL Has Endpoint That we can Communicate with backend As sometime In Vulnerable configuration as using GraphQL endpoin we can interact with backend GraphQL allow this by using its Introspection system. As sometimes we can Extract Internal server Information, available querys, different data that we can manipulate .` In This section am bad actor can Get extract data from database by GraphQL Query.
SQLi (Sql Injection)
In GraphQL SQLi Is common threads now a days due to improper configuration that an bad actor could Extract Backend information along with users data or different activity. This common threads happens due to not using parameterized queries as not filtered User input which could lead cause huge impact .
As there is sqli as error based which could exploit by adding “’” single quote or different malicious input application might not throw an error, but can still be vulnerable to blind, time-based & out-of-band SQL injection attacks.
Failure to Appropriately Rate-limit:
GraphQL APIs which could lead of rate-limiting and other denial-of-service protections much more difficult. Supposed There is Reset Password functionality which Run under GraphQL Api so in this case Which possible for DOS Against Functionality or it include different type of Attack that a bad actor can perform against Your server .
As A rate
limiting algorithm is used to check if the user session (or
IP-address) has to be limited based on the information in the session
In case a client made too many requests within a given timeframe, HTTP-Servers can respond with status code 429: Too Many Requests.
As GrapQL Has More Threads nosql injection, Access control, Critical Data exposure Etc .
Conclusion: Now a days GraphQL Is Secure Technology that every Web application Implementing But Somewhere It could Take Huge Advantage Of Impact If You have not configured It properly. As today we discuss what is GraphQL Why we use & common threads On GraphQL That an bad actor can perform against your server . Hope You Enjoyed !
Author: Pallab Jyoti Borah (VAPT Analyst)