GraphQL Top 10: Attempt #1

If you have read my blogs, you would know that I make hand-drawn images :)

Helps me bring out my creativity as well!

And so here’s the diagram I made for GraphQL.

Anyways, that’s not the point of this post… Today I intend to discuss about GraphQL Top 10, that I am aiming for.

I think the issues I listed are quite common with GraphQL, but I am 3 less from reaching my Top 10 list!

Since this is the first time, I am featuring GraphQL on my blog, let me introduce you both!

GraphQL is a data query specification and the query language for your APIs, which is designed to be flexible and performant and the most important point — it’s developer friendly!

With GraphQL, the client can request data from a single endpoint, specifying all its needs (the fields it needs to render a view) and with 1 query, it can get all the details it wants! Amazing isn’t it :)

And btw, GraphQL returns you only as much as you asked for — nothing more, nothing less! So that saves you from Under-fetching and Over-fetching issues that the REST APIs typically face!

There are a lot of tutorials on this topic and even the official documentation is fun to read, so I don’t intend to duplicate the efforts:

So, if GraphQL seems like something interesting to you, check the docs, they are quite fun to follow.

Are you a pentester/bug bounty hunter/infosec nerd? I am sure you must have heard of those awesome Top 10 lists that the “big boys” talk about! And I guess there’s a lot of traction with Top 10 lists. We have:

You get the point right… It’s quite a norm now to think in top 10’s I suppose. And that got me thinking why not have a comprehensive GraphQL Top 10 list!

That would be quite good to have and if I succeed, it would be my contribution to the infosec community :)

And therefore, here I am trying to come up with the Top 10 GraphQL API issues, that have been found in the wild and are a common thing to try out while pentesting GraphQL APIs.

So I set out to find out the Top 10 issues that the GraphQL services or implementations would have!

So I plan was — to check the GraphQL spec and see if there are any ambiguities and room for errors, because ambiguity is the enemy of security!

And after that, I also set out to find out all the security related posts and research that has been there on GraphQL, and also to read all the bug bounty reports submitted for GraphQL issues!

The Spec

So I set out and read the spec (it became quite boring when I was about to finish it), but I persevered and did it, which made me proud of myself :)

The spec was nicely written and gave me a few ideas and areas where I can uncover some issues, maybe.

The Posts

Once done with the spec, I read a lot of posts on GraphQL security and even GraphQL internals, because why not :D

The Bug Bounty Reports

After reading the spec and the posts, I already started formulating what all issue that I think could be there and what all the other researchers have found out. And IDOR came out to be the number 1 issue that most GraphQL services had! And that was not a surprise to me, since the GraphQL documentation clearly tells you to delegate the authorization logic to the business logic layer:

And devs are lazy right, when they see what all GraphQL gives out of the box, its quite tempting to assume its very magical solution that does everything you want, forgetting to pay attention to the nuances like these and that’s how you get the Broken Authorization issues in your code!

And therefore, this vulnerability had to be number 1 on my list!

Then I thought that even Authentication is no the problem of GraphQL, since GraphQL only deals with the data query and nothing else.

So this would be another problem and indeed it was — Broken Authentication.

Reading more posts revealed issues like CSRF, Information Disclosure, DoS, Privilege Escalation, Brute-forcing attacks to retrieve passwords and 2FA codes (Batching attacks), Session Invalidation issues and Race conditions.

So I set out to order them based on how many platforms had these issues. And this is the work which is still in progress… There are a lot of reports to read and understand before I can fully comment on the ordering. And since I want this ordering to be as perfect as it can be, I am taking some time to check every resource out there!

Also, I have avoided including some generic issues like Insufficient Logging and Monitoring, which are included in OWASP API Security Top 10. But I don’t see any harm to include these issues as well because if there is logging in place, then discovering such attacks would become quite easy. But I agree that if an organization is huge, it might have to place some solutions that analyze GraphQL queries and tell apart the good from bad and alert the security team. But that’s not quite there yet and might lead to false positives, until the solution matured enough. So there’s quite some time before we get there, with such great tooling for the defenders!

I haven’t yet found the perfect GraphQL Top 10 listing, so this search definitely would continue and hopefully by tomorrow morning, I would have some definite answers for you all :)

I hope you like this post and got some value out of it!

If you are curious to learn more about other infosec-related topics, feel free to reach out and connect on twitter: https://twitter.com/RuntimeSecurity

Btw if you are enjoying my work and would like to support me, then please check out my Patreon page:

See ya!
Until next time, keep learning and keep hacking.