Scanning a GraphQL API for Vulnerabilities

Since June 2020, Acunetix helps the more and more common API question language – GraphQL. On this article, we wish to present you step-by-step how you can scan an API outlined utilizing GraphQL. To do that, you’ll first create an deliberately weak API and its GraphQL definition, then scan it utilizing Acunetix, remove vital vulnerabilities that you simply discovered utilizing Acunetix, and confirm that they’ve been eradicated.

Stage 1: Set Up Your Check Atmosphere

To have the ability to comply with this train, you need to put together a take a look at surroundings. For this train, we used the Home windows working system with open-source software program.

  1. Set up Wamp64 as your native net server with PHP and MySQL
  2. Set the Home windows path surroundings variable to level to your PHP and MySQL executables:
    • Run the Home windows executable systempropertiesadvanced.exe
    • Go to the Superior tab
    • Click on on Atmosphere Variables
    • Add your php.exe folder and your mysql.exe folder to the checklist of paths; typical values so as to add could be:
      • c:wamp64binphpphp7.3.21
      • c:wamp64binmysqlmysql5.7.31bin
  3. Set up the Composer dependency supervisor for PHP

Stage 2: Construct a Easy GraphQL API

To scan a GraphQL API with Acunetix, you’ll construct a easy, deliberately weak API. To construct the API, it’s essential to carry out the next steps:

  1. Create a database in your net server to retailer your information
  2. Create an internet service root folder and set up some dependency libraries
  3. Create a GraphQL schema file
  4. Create a GraphQL schema loader file
  5. Create an index file to deal with GraphQL requests
  6. Create a resolvers file

Step 1: Create a Database on Your Net Server

To arrange a database in your Wamp64 net server, carry out the next actions

  1. Open the command immediate
  2. Run mysql -u root
  3. Run the next instructions from the MySQL root immediate:mysql> create person ‘graphuser’@’localhost’ recognized by ‘graphuserpass’;
    mysql> create database graphusersdb;
    mysql> GRANT ALL PRIVILEGES ON graphusersdb.* TO ‘graphuser’@’localhost’;
    mysql> use graphusersdb;
    mysql> CREATE TABLE `customers` (`id` int(11) NOT NULL AUTO_INCREMENT,`fname` varchar(255) NOT NULL, `lname` varchar(255) NOT NULL, `e mail` varchar(255) NOT NULL, `notes` varchar(255) DEFAULT NULL, PRIMARY KEY (`id`), UNIQUE KEY `e mail` (`e mail`));
    mysql> INSERT INTO customers (fname, lname, e mail) VALUES (‘John’, ‘Smith’, ‘[email protected]’);
    mysql> INSERT INTO customers (fname, lname, e mail) VALUES (‘Jane’, ‘Doe’, ‘[email protected]’);

Step 2: Create the Net Service Root Folder

To create the net service root folder, carry out the next actions:

  1. Open a command immediate
  2. Run the next instructions to create the folders on your challenge, together with PHP library dependencies:C:>mkdir C:wamp64wwwgraphusers
    C:>cd C:wamp64wwwgraphusers
    C:wamp64wwwgraphusers>composer require leocavalcante/siler
    C:wamp64wwwgraphusers>composer require overblog/dataloader-php
    C:wamp64wwwgraphusers>composer require webonyx/graphql-php

Step 3: Create a GraphQL Schema File

Create a C:wamp64wwwgraphusersschema.graphql file with the next content material:

kind Question

kind Mutation

kind Person
id: Int
fname: String
lname: String
e mail: String
notes: String

Step 4: Create a GraphQL Schema Loader File

Create a C:wamp64wwwgraphusersschema.php file with the next content material:

$resolvers = embody __DIR__.’/resolvers.php’;

return Graphqlschema($typeDefs, $resolvers);

Step 5: Create an Index File to Deal with GraphQL Requests

Create a C:wamp64wwwgraphusersindex.php file with the next content material:

}

​perform select_sql($question, $sql_args)
international $MyDB;
$stmt = $MyDB->put together($question);
$stmt->execute($sql_args);
$rows = $stmt->fetchAll(PDO::FETCH_ASSOC);
return $rows;

​perform insert_sql($question, $sql_args)
international $MyDB;
$stmt = $MyDB->put together($question);
return $stmt->execute($sql_args); // true if profitable; false if not profitable

​perform delete_sql($question, $sql_args)
international $MyDB;
$stmt = $MyDB->put together($question);
return $stmt->execute($sql_args); // true if profitable; false if not profitable

$graphQLSyncPromiseAdapter = new SyncPromiseAdapter();
$promiseAdapter = new WebonyxGraphQLSyncPromiseAdapter($graphQLSyncPromiseAdapter);

WGraphQL::setPromiseAdapter($graphQLSyncPromiseAdapter);

$context = [
‘select_sql’ => perform ($question, $sql_args) ,
‘insert_sql’ => perform ($question, $sql_args) ,
‘delete_sql’ => perform ($question, $sql_args) ,
];

if (Requestmethod_is(‘put up’))

Step 6: Create a Resolvers File

Create a C:wamp64wwwgraphusersresolvers.php file with the next content material:

    getUser’ => perform($root, $args, $context)
return $context[‘select_sql’](“SELECT id, fname, lname, e mail, notes FROM customers WHERE e mail=:e mail”, [’email’=>$args[’email’]]);

],
‘Mutation’ => [
‘addUser’ => perform($root, $args, $context) {
$dummy = $context[‘insert_sql’](“INSERT INTO customers (fname, lname, e mail, notes) VALUES (‘” . $args[‘fname’] . “‘, ‘” . $args[‘lname’] . “‘, ‘” . $args[’email’] . “‘, ‘” . $args[‘notes’] . “‘)”, []);
if ($dummy)
return null;
},
‘delUser’ => perform($root, $args, $context) {
$delrecord = $context[‘select_sql’](“SELECT id, fname, lname, e mail, notes FROM customers WHERE e mail=:e mail”, [’email’=>$args[’email’]]);
$dummy = $context[‘delete_sql’](“DELETE FROM customers WHERE e mail=:e mail”, [’email’=>$args[’email’]]);
if ($dummy) {
return $delrecord;
}
return null;
}
] ];

Stage 3: Scan Your GraphQL API

On this instance, the net service definition is on the following URL: http://localhost/graphusers/schema.graphql. To scan the net service with Acunetix:

  1. Create a brand new goal with the next URL: http://localhost/graphusers/
  2. Import an amended schema file to your goal:
    • Obtain the schema file from the next URL: http://localhost/graphusers/schema.graphql
    • Insert one line on the high of the file to specify the GraphQL endpoint; the file ought to seem like this:graphql_endpoint=”/graphusers/”;
      kind Questionkind Mutation

      kind Person
      id: Int
      fname: String
      lname: String
      e mail: String
      notes: String

    • Find the Import Information part of your goal configuration and import the amended schema fileScanning a GraphQL API for Vulnerabilities
  3. Deploy the PHP AcuSensor to your net service
  4. Launch a Full Scan of your net service and watch for it to finish

Stage 4: Establish Vulnerabilities in Your GraphQL API

Study the checklist of vulnerabilities on your scan. We will consider the SQL injection vulnerabilities for this train, since all of them have the identical root trigger.

Scanning a GraphQL API for Vulnerabilities
Acunetix exhibits the Assault Particulars — the GraphQL API name had variables injected with delay instructions and Acunetix was in a position to affirm that the responses had been certainly delayed by the required variety of seconds. This confirms that the API name is weak to SQL injection, permitting a malicious hacker to craft further requests to probably retrieve massive volumes of knowledge.

Scanning a GraphQL API for Vulnerabilities

Stage 5: Resolve the Vulnerabilities

A fast have a look at the addUser mutation perform contained in the resolvers.php class file can reveal the foundation trigger. The question is constructed utilizing string concatenation:

$dummy = $context[‘insert_sql’](“INSERT INTO customers (fname, lname, e mail, notes) VALUES (‘” . $args[‘fname’] . “‘, ‘” . $args[‘lname’] . “‘, ‘” . $args[’email’] . “‘, ‘” . $args[‘notes’] . “‘)”, []);
]

The $args[‘fname’] variable and different variables are being merely concatenated to the question string with none validation. We are able to regulate the code by utilizing parameterized queries. The newly-adjusted line within the resolvers.php file would seem like this:

$dummy = $context[‘insert_sql’](“INSERT INTO customers (fname, lname, e mail, notes) VALUES (:fname, :lname, :e mail, :notes)”, [‘fname’=>$args[‘fname’],  ‘lname’=>$args[‘lname’], ‘e mail’=>$args[’email’], ‘notes’=>$args[‘notes’]]);

Stage 6: Rescan to Affirm Decision

Go to the checklist of vulnerabilities for the scan and choose the SQL injection vulnerability you will have simply resolved.

Click on on the Retest button — it will create a brand new scan to check the chosen vulnerabilities once more. The outcomes will present that you’ve got efficiently resolved the vulnerabilities.

Scanning a GraphQL API for Vulnerabilities

THE AUTHOR
Scanning a GraphQL API for Vulnerabilities

Kevin Attard Compagno
Technical Author

Kevin Attard Compagno is a Technical Author working for Acunetix. A technical author, translator, and basic IT buff for over 30 years, Kevin used to run Technical Help groups and create coaching paperwork and different materials for in-house technical workers.

graphql security vulnerabilities,graphql ctf,stackhawk,graphql vulnerabilities hackerone,rest vs graphql security,apollo graphql security,graphql tips and tricks,graphql wallarm,graphql scanner,graphql security testing,graphql voyager,graphql introspection security,graphql injection hackerone