Written by hackers for hackers, this hands-on book teaches penetration testers how to identify vulnerabilities in apps that use GraphQL, a data query and manipulation language for APIs adopted by major companies like Facebook and GitHub.
Black Hat GraphQL is for anyone interested in learning how to break and protect GraphQL APIs with the aid of offensive security testing. Whether you’re a penetration tester, security analyst, or software engineer, you’ll learn how to attack GraphQL APIs, develop hardening procedures, build automated security testing into your development pipeline, and validate controls, all with no prior exposure to GraphQL required.
Following an introduction to core concepts, you’ll build your lab, explore the difference between GraphQL and REST APIs, run your first query, and learn how to create custom queries.
You’ll also learn how to:
- Use data collection and target mapping to learn about targets
- Defend APIs against denial-of-service attacks and exploit insecure configurations in GraphQL servers to gather information on hardened targets
- Impersonate users and take admin-level actions on a remote server
- Uncover injection-based vulnerabilities in servers, databases, and client browsers
- Exploit cross-site and server-side request forgery vulnerabilities, as well as cross-site WebSocket hijacking, to force a server to request sensitive information on your behalf
- Dissect vulnerability disclosure reports and review exploit code to reveal how vulnerabilities have impacted large companies
This comprehensive resource provides everything you need to defend GraphQL APIs and build secure applications. Think of it as your umbrella in a lightning storm.
Author(s): Nick Aleks, Dolev Farhi
Publisher: No Starch Press
Year: 2023
Language: English
Pages: 414
Title Page
Copyright
About the Authors
Foreword
Acknowledgments
Introduction
Who This Book Is For
The Book’s Lab and Code Repository
What’s in This Book
Chapter 1: A Primer on GraphQL
The Basics
Origins
Use Cases
Specification
How Do Communications Work?
The Schema
Queries
The Query Parser and Resolver Functions
What Problems Does GraphQL Solve?
GraphQL APIs vs. REST APIs
The REST Example
The GraphQL Example
Other Differences
Your First Query
Summary
Chapter 2: Setting Up a GraphQL Security Lab
Taking Security Precautions
Installing Kali
Installing Web Clients
Querying from the Command Line with cURL
Querying from a GUI with Altair
Setting Up a Vulnerable GraphQL Server
Installing Docker
Deploying the Damn Vulnerable GraphQL Application
Testing DVGA
Installing GraphQL Hacking Tools
Burp Suite
Clairvoyance
InQL
Graphw00f
BatchQL
Nmap
Commix
graphql-path-enum
EyeWitness
GraphQL Cop
CrackQL
Summary
Chapter 3: The GraphQL Attack Surface
What Is an Attack Surface?
The Language
Queries, Mutations, and Subscriptions
Operation Names
Fields
Arguments
Aliases
Fragments
Variables
Directives
Data Types
Objects
Scalars
Enums
Unions
Interfaces
Inputs
Introspection
Validation and Execution
Common Weaknesses
Specification Rule and Implementation Weaknesses
Denial of Service
Information Disclosure
Authentication and Authorization Flaws
Injections
Summary
Chapter 4: Reconnaissance
Detecting GraphQL
Common Endpoints
Common Responses
Nmap Scans
The __typename Field
Graphw00f
Detecting GraphiQL Explorer and GraphQL Playground
Scanning for Graphical Interfaces with EyeWitness
Attempting a Query Using Graphical Clients
Querying GraphQL by Using Introspection
Visualizing Introspection with GraphQL Voyager
Generating Introspection Documentation with SpectaQL
Exploring Disabled Introspection
Fingerprinting GraphQL
Detecting Servers with Graphw00f
Analyzing Results
Summary
Chapter 5: Denial of Service
GraphQL DoS Vectors
Circular Queries
Circular Relationships in GraphQL Schemas
How to Identify Circular Relationships
Circular Query Vulnerabilities
Circular Introspection Vulnerabilities
Circular Fragment Vulnerabilities
Field Duplication
Understanding How Field Duplication Works
Testing for Field Duplication Vulnerabilities
Alias Overloading
Abusing Aliases for Denial of Service
Chaining Aliases and Circular Queries
Directive Overloading
Abusing Directives for Denial of Service
Testing for Directive Overloading
Object Limit Overriding
Array-Based Query Batching
Understanding How Array-Based Query Batching Works
Testing for Array-Based Query Batching
Chaining Circular Queries and Array-Based Query Batching
Detecting Query Batching by Using BatchQL
Performing a DoS Audit with GraphQL Cop
Denial-of-Service Defenses in GraphQL
Query Cost Analysis
Query Depth Limits
Alias and Array-Based Batching Limits
Field Duplication Limits
Limits on the Number of Returned Records
Query Allow Lists
Automatic Persisted Queries
Timeouts
Web Application Firewalls
Gateway Proxies
Summary
Chapter 6: Information Disclosure
Identifying Information Disclosure Vectors in GraphQL
Automating Schema Extraction with InQL
Overcoming Disabled Introspection
Detecting Disabled Introspection
Exploiting Non-production Environments
Exploiting the __type Meta-field
Using Field Suggestions
Understanding the Edit-Distance Algorithm
Optimizing Field Suggestion Use
Considering Security Developments
Using Field Stuffing
Type Stuffing in the __type Meta-field
Automating Field Suggestion and Stuffing Using Clairvoyance
Abusing Error Messages
Exploring Excessive Error Messaging
Enabling Debugging
Inferring Information from Stack Traces
Leaking Data by Using GET-Based Queries
Summary
Chapter 7: Authentication and Authorization Bypasses
The State of Authentication and Authorization in GraphQL
In-Band vs. Out-of-Band
Common Approaches
Authentication Testing
Detecting the Authentication Layer
Brute-Forcing Passwords by Using Query Batching
Brute-Forcing Passwords with CrackQL
Using Allow-Listed Operation Names
Forging and Leaking JWT Credentials
Authorization Testing
Detecting the Authorization Layer
Enumerating Paths with graphql-path-enum
Brute-Forcing Arguments and Fields with CrackQL
Summary
Chapter 8: Injection
Injection Vulnerabilities in GraphQL
The Blast Radius of Malicious Input
The OWASP Top 10
The Injection Surface
Query Arguments
Field Arguments
Query Directive Arguments
Operation Names
Input Entry Points
SQL Injection
Understanding the Types of SQL Injection
Testing for SQLi
Testing DVGA for SQLi with Burp Suite
Automating SQL Injection
Operating System Command Injection
An Example
Manual Testing in DVGA
Automated Testing with Commix
Code Review of a Resolver Function
Cross-Site Scripting
Reflected XSS
Stored XSS
DOM-Based XSS
Testing for XSS in DVGA
Summary
Chapter 9: Request Forgery and Hijacking
Cross-Site Request Forgery
Locating State-Changing Actions
Testing for POST-Based Vulnerabilities
Automatically Submitting a CSRF Form
Testing for GET-Based Vulnerabilities
Using HTML Injection
Automating Testing with BatchQL and GraphQL Cop
Preventing CSRF
Server-Side Request Forgery
Understanding the Types of SSRF
Searching for Vulnerable Operations, Fields, and Arguments
Testing for SSRF
Preventing SSRF
Cross-Site WebSocket Hijacking
Finding Subscription Operations
Hijacking a Subscription Query
Preventing CSWSH
Summary
Chapter 10: Disclosed Vulnerabilities and Exploits
Denial of Service
A Large Payload (HackerOne)
Regular Expressions (CS Money)
A Circular Introspection Query (GitLab)
Aliases for Field Duplication (Magento)
Array-Based Batching for Field Duplication (WPGraphQL)
Circular Fragments (Agoo)
Broken Authorization
Allowing Data Access to Deactivated Users (GitLab)
Allowing an Unprivileged Staff Member to Modify a Customer’s Email (Shopify)
Disclosing the Number of Allowed Hackers Through a Team Object (HackerOne)
Reading Private Notes (GitLab)
Disclosing Payment Transaction Information (HackerOne)
Information Disclosure
Enumerating GraphQL Users (GitLab)
Accessing the Introspection Query via WebSocket (Nuri)
Injection
SQL Injection in a GET Query Parameter (HackerOne)
SQL Injection in an Object Argument (Apache SkyWalking)
Cross-Site Scripting (GraphQL Playground)
Cross-Site Request Forgery (GitLab)
Summary
Appendix A: GraphQL API Testing Checklist
Reconnaissance
Denial of Service
Information Disclosure
Authentication and Authorization
Injection
Forging Requests
Hijacking Requests
Appendix B: GraphQL Security Resources
Penetration Testing Tips and Tricks
Hands-on Hacking Labs
Security Videos
Index
