COMMSEC: GraphQL is Falling Down – Breaking GraphQL Servers with Queries

This talk will be live streamed on the HITBSecConf Youtube Channel


Websites are widely adopting GraphQL, an open-source data query and manipulation language for APIs. The approach taken by this language looks appealing as it permits API endpoints to be dynamically defined and there are libraries for languages such as Haskell, JavaScript, Perl, Python, Ruby, Java, C#, Scala, Go, Elixir, Erlang, PHP, R, and Clojure. Major companies are implementing this technology as well as multiple cloud vendors.

The specification states that clients are responsible for specifying what they will consume. Due to this particularity, GraphQL API servers can be abused to deplete servers’ resources. The most popular implementations in different languages were tested and the availability of all of them was compromised. Even before developers start defining their GraphQL schemas, servers’ availability will be vulnerable by default.

Multiple new attack vectors along with complete tool to identify and attack GraphQL API servers will be released to facilitate testing & researching.

COMMSEC TRACK
Location: Track 4 / CommSec Date: April 23, 2020 Time: 5:30 pm - 6:30 pm Fernando Arnaboldi