Securing GraphQL with Advanced WAF declarative policies

While REST has become the industry standard for designing Web APIs, GraphQL is rising in popularity as a more flexible and efficient alternative.

Problem statement

Similarly to REST, GraphQL is usually served over HTTP and is prone to the typical Web APIs security vulnerabilities, such as injection attacks, Denial of Service (DoS) attacks and abuse of flawed authorization. However, the mitigation strategies required to prevent a security breach of the GraphQL server must be specifically tailored to GraphQL.

Unlike REST, where Web resources are identified by multiple URLs, GraphQL server operates on a single URL. Therefore, Web Application Firewalls (WAFs) configured to filter traffic based on URLs and query strings would not effectively protect GraphQL app. Instead, WAF policies for GraphQL must analyze and operate on the query level. In addition, GraphQL allows batching multiple queries in a single network call, which makes possible a batching attack specific to GraphQL.

Proposed solution

BIG-IP Advanced WAF has a number of features specifically designed for securing GraphQL APIs:

  • A GraphQL Security Policy Template that enables quick deployment of GraphQL WAF policies
  • A GraphQL Content Profile that groups all the relevant configurations relevant to GraphQL
  • Support for the most common GraphQL use cases, where JSON payload is sent over POST (body) or GET (URL parameter) requests
  • Native parsing of GraphQL enables the application of attack signature against each JSON field, with very low rate of false positives
  • Protection against complexity-based Denial of Service attacks by allowing the configuration of a maximum depth of queries
  • Support for enforcing the best practices of deployment GraphQL APIs with disabled introspection, which is the primary way for attackers to understand the API specification and tailor their attacks accordingly
  • An option to control the number of allowed batched requests
  • GraphQL-specific security violations allowing the fine tuning of the WAF policy

Example configuration

GraphQL configuration of the WAF policy can be done through the GUI or programatically, through the declarative policy model, allowing easy integration in automated environments that leverage, for example, CI/CD tools.

As an example, below is a basic GraphQL declarative policy, demonstrating some of the features listed above:

{
   "policy" : {
      "applicationLanguage" : "utf-8",
      "caseInsensitive" : false,
      "description" : "WAF Policy with GraphQL Profile",
      "enablePassiveMode" : false,
      "enforcementMode" : "blocking",
      "signature-settings": {
               "signatureStaging": false
       },
      "filetypes" : [
         {
            "allowed" : true,
            "checkPostDataLength" : true,
            "checkQueryStringLength" : true,
            "checkRequestLength" : true,
            "checkUrlLength" : true,
            "name" : "php",
            "performStaging" : true,
            "postDataLength" : 1000,
            "queryStringLength" : 1000,
            "requestLength" : 5000,
            "responseCheck" : false,
            "type" : "explicit",
            "urlLength" : 100
         }
      ],
      "fullPath" : "/Common/waf_policy_withgraphql",
      "graphql-profiles" : [
         {
            "attackSignaturesCheck" : true,
            "defenseAttributes" : {
               "allowIntrospectionQueries" : true,
               "maximumBatchedQueries" : 10,
               "maximumStructureDepth" : 10,
               "maximumTotalLength" : 100000,
               "maximumValueLength" : 10000,
               "tolerateParsingWarnings" : true
            },
            "description" : "",
            "metacharElementCheck" : false,
            "name" : "graphql_profile"
         }
      ],
      "name" : "waf_policy_withgraphql",
      "protocolIndependent" : false,
      "softwareVersion" : "16.1.0",
      "template" : {
         "name" : "POLICY_TEMPLATE_GRAPHQL"
      },
      "type" : "security",
      "urls" : [
         {
            "attackSignaturesCheck" : true,
            "clickjackingProtection" : false,
            "description" : "",
            "disallowFileUploadOfExecutables" : false,
            "html5CrossOriginRequestsEnforcement" : {
               "enforcementMode" : "disabled"
            },
            "isAllowed" : true,
            "mandatoryBody" : false,
            "method" : "*",
            "methodsOverrideOnUrlCheck" : false,
            "name" : "/graphql",
            "performStaging" : false,
            "protocol" : "https",
            "type" : "explicit",
            "urlContentProfiles" : [
               {
                  "contentProfile" : {
                     "name" : "graphql_profile"
                  },
                  "headerName" : "*",
                  "headerOrder" : "default",
                  "headerValue" : "*",
                  "type" : "graphql"
               }
            ]
         }
      ]
   }
}    

Conclusion

As the adoption of GraphQL increases, so is the likelihood of emergence of security threats tailored for this (comparatively) new Web API technology. The features present in Advanced WAF enable a solid response against GraphQL-specific attacks, while allowing for integration in the most advanced CI/CD-driven environments.

Other resources

UDF lab: AWAF advanced security for GraphQL in CI/CD pipeline

Many thanks to Serge Levin for his contribution to this article.

Published Jul 06, 2021
Version 1.0
  • Hi ,

     

    thanks for sharing this post. I was tinkering around a bit, but I could not find the definition for graphql-profiles in the schema. I guess that's because the only schema available is here: https://clouddocs.f5.com/products/waf-declarative-policy/.

    This one is still 16.0. Any hint for me, where I could look for the 16.1 schema or when it will be available?

     

    Thanks in advance & KR

    Daniel