5 critical vulnerabilities in GraphQL used to program modern web & mobile applications

Cyber security solutions specialists have revealed the finding of 5 critical vulnerabilities in GraphQL (GQL), a data query language used on a considerable number of modern websites and mobile applications as part of the technology stack. This tool simplifies getting data from a server to a client through an API call.

To analyze these vulnerabilities, a group of researchers from Carve created a demo API. Below is a brief overview of the reported flaws.

Inconsistent authorization checks

While GraphQL helps implement proper data validation, API developers are left alone to implement authentication and authorization methods at the top. Worse, the “layers” of a GraphQL API make this more complicated: authorization checks must be present not only in query-level resolvers, but also for resolvers that load additional data.

According to the cyber security solutions experts who created the API, a vulnerability exposed in the demo API exposes the opportunity to retrieve a publication by ID, where there are no authorization checks.

Weak REST proxy layers

An underlying API tailored to using GraphQL clients with REST proxies can be implemented in the GraphQL proxy layer with a request to GET/api/users/1 in the back-end API. If implemented incorrectly, threat actors might modify the path or parameters passed to the backend API.  

Experts mention that proper URL encoding and validation parameters passed to another service can mitigate the risk of exploiting this flaw.

Custom Skalar validation evasion

Raw data with GQL is represented with a Skalar type, and is eventually passed as input data or returned as output. The basic set of Skalar types is sufficient for many simple APIs, but for scenarios where additional raw data types are useful, GraphQL includes support for application developers to define their own scalar types.

If a developer implements his or her own Skalar type, he will be responsible for keeping up with sanitization and validation, cyber security solutions specialists mentioned. 

Disorganized speed limitation

The number of actions performed by the GQL query is mutable in nature and therefore requires an erratic amount of server resources. This is why the rate limiting techniques used for REST APIs are not intended to be used for GQL APIs. In other words, REST API strategies are insufficient for GQL APIs.

Public data leaking due to introspection function

Adding veiled features to API endpoints is an engaging perspective for developers; these features could be protected from public view with administrator access protection or with another API endpoint. A GraphQL feature called introspection makes it very easy to discover hidden endpoints.

For further reports on vulnerabilities, exploits, malware variants and computer security risks you can access the website of the International Institute of Cyber Security (IICS), as well as the official platforms of technology companies.