Original Post: GraphQL Vulnerabilities and Common Attacks: Seen in the Wild
This blog delves into recent real-world examples of GraphQL attacks, building upon their previous overview of GraphQL security. It emphasizes a need for basic understanding of GraphQL and its security considerations, recommending their prior blog for beginners.
Key Insights and Statistics:
- Monitoring of around 6,000 endpoints revealed that 70% of GraphQL traffic is mobile-based, 15% from automated tools, and only 5% from browsers.
- POST requests with ‘Content-type: application/json’ were the most observed. The ‘query’ operation constituted nearly 90% of traffic.
Attack Examples:
- Introspection Attack: Attackers exploit GraphQL’s introspection feature to uncover API schema details, often using the ‘__schema’ field. Disabling introspection in production environments is recommended.
- GraphiQL Endpoint Discovery: Attackers search for GraphiQL endpoints to gain detailed interface access, iterating through potential paths.
- Directive Overloading: Overloading servers with multiple custom directives, often leading to DoS attacks.
- Circular Fragments: Creating infinite loops by calling fragments recursively, potentially causing server crashes.
- Batch Queries: Sending multiple queries in one request to overload the server.
Furthermore, the blog highlights legitimate-looking yet harmful requests like circular queries, which can severely load a server, and alias overloading, where multiple aliases are used in a query to exploit batching.
Conclusion:
Securing GraphQL endpoints involves implementing rate limiting, validating inputs, and ensuring robust authentication and authorization. Imperva offers tools including the Web Application and API Protection (WAAP) suite and specific GraphQL rules to address these threats. Imperva also encourages users to try their services with a 30-day free trial.
Go here to read the Original Post