Beyond REST: Protecting GraphQL
GraphQL GraphQL is a query language for APIs developed by Facebook, that provides an efficient and flexible alternative to traditional RESTful APIs. It allows clients to request only the data they need, avoiding over-fetching or under-fetching of information. GraphQL enables developers to specify the structure of the response they want, making it easier to aggregate data from multiple sources in a single request. This adaptability is particularly advantageous in scenarios where mobile or web applications require diverse sets of data. As a result, GraphQL has become an attractive alternative for many developers and organizations looking to capitalizeon this flexibility and possible performance improvements. Introspection Introspection is a feature that allows clients to query the schema of a GraphQL API at runtime. It allows for the dynamic exploration of types, fields, and their associated information, giving clients the ability to create documentation, validate queries, and understand the structure and capabilities of the GraphQL server. Security Considerations While GraphQL offers numerous advantages in terms of flexibility and efficiency, it also introduces unique security considerations that warrant attention. One notable concern is the potential for unintentional data exposure due toitsintrospective nature. Additionally, GraphQL's ability to execute multiple queries in a single request creates the risk of resource exhaustion through complex or nested queries, leading to denial-of-service (DoS) vulnerabilities. Furthermore, the dynamic nature of GraphQL schemasmakesit crucial to implement proper input validation to prevent malicious queries or injections. Understanding and addressing these security risks is paramount for ensuring the robustness of GraphQL-based systems, and it underscores the importance of incorporating effective security measures into the development, deployment, and runtime processes. Protecting GraphQL with F5 Distributed Cloud GraphQL Discovery: GraphQL discovery plays a pivotal role in the comprehensive API discovery process within the F5 Distributed Cloud WebApp and API Protection service. This ensures that developers, security architects, and administrators gain visibility into and information about the available GraphQL endpoints. GraphQL Inspection: Inspection is a fundamental component of protecting GraphQL, offering granular control over security parameters. By setting limits on the maximum total length, maximum structure depth of a GraphQL query, and imposing restrictions on the maximum number of queries in a single batched request, the service can mitigate the risk of DOS attacks and ensures optimal system performanceby preventing excessively complex or resource-intensive requests. Disabling introspection queries further enhances security by limiting the exposure of sensitive API details, reducing the attack surface and reinforcing overall GraphQL security. Conclusion Since its development in 2012, adoption of GraphQL has witnessed a steady growthyear-over-year. The efficiency and power of the API has made it a popular choice with many development teams. With an ever-increasing threat surface and a high potential for attack, organizations must prioritize safeguarding their users by investing in robust security. As part of a Defensein-Depthsecurity strategy, the F5 Distributed Cloud WebApp and API Protection service can help ensure your GraphQL APIs are protected from abuse. F5 Distributed Cloud GraphQL Inspection and Protection Demo Additional Resources Deploy F5 Distributed Cloud API Discovery and Security: F5 Distributed Cloud WAAP Terraform Examples GitHub Repo Deploy F5 Hybrid Architectures API Discovery and Security: F5 Distributed Cloud Hybrid Security Architectures GitHub Repo F5 Distributed Cloud Documentation: F5 Distributed Cloud Terraform Provider Documentation F5 Distributed Cloud Services API Documentation
Securing GraphQL with Advanced WAF declarative policies
While REST has become the industry standard for designing Web APIs, GraphQL is rising in popularity as a more flexible and efficient alternative. Problem statement Similarly to REST, GraphQL is usually served over HTTP and is prone to the typical Web APIs security vulnerabilities, such as injection attacks, Denial of Service (DoS) attacks and abuse of flawed authorization. However, the mitigation strategies required to prevent a security breach of the GraphQL server must be specifically tailored to GraphQL. Unlike REST, where Web resources are identified by multiple URLs, GraphQL server operates on a single URL. Therefore, Web Application Firewalls (WAFs) configured to filter traffic based on URLs and query strings would not effectively protect GraphQL app. Instead, WAF policies for GraphQL must analyze and operate on the query level. In addition, GraphQL allows batching multiple queries in a single network call, which makes possible a batching attack specific to GraphQL. Proposed solution BIG-IP Advanced WAF has a number of features specifically designed for securing GraphQL APIs: A GraphQL Security Policy Template that enables quick deployment of GraphQL WAF policies A GraphQL Content Profile that groups all the relevant configurations relevant to GraphQL Support for the most common GraphQL use cases, where JSON payload is sent over POST (body) or GET (URL parameter) requests Native parsing of GraphQL enables the application of attack signature against each JSON field, with very low rate of false positives Protection against complexity-based Denial of Service attacks by allowing the configuration of a maximum depth of queries Support for enforcing the best practices of deployment GraphQL APIs with disabled introspection, which is the primary way for attackers to understand the API specification and tailor their attacks accordingly An option to control the number of allowed batched requests GraphQL-specific security violations allowing the fine tuning of the WAF policy Example configuration GraphQL configuration of the WAF policy can be done through the GUI or programatically, through the declarative policy model, allowing easy integration in automated environments that leverage, for example, CI/CD tools. As an example, below is a basic GraphQL declarative policy, demonstrating some of the features listed above: { "policy" : { "applicationLanguage" : "utf-8", "caseInsensitive" : false, "description" : "WAF Policy with GraphQL Profile", "enablePassiveMode" : false, "enforcementMode" : "blocking", "signature-settings": { "signatureStaging": false }, "filetypes" : [ { "allowed" : true, "checkPostDataLength" : true, "checkQueryStringLength" : true, "checkRequestLength" : true, "checkUrlLength" : true, "name" : "php", "performStaging" : true, "postDataLength" : 1000, "queryStringLength" : 1000, "requestLength" : 5000, "responseCheck" : false, "type" : "explicit", "urlLength" : 100 } ], "fullPath" : "/Common/waf_policy_withgraphql", "graphql-profiles" : [ { "attackSignaturesCheck" : true, "defenseAttributes" : { "allowIntrospectionQueries" : true, "maximumBatchedQueries" : 10, "maximumStructureDepth" : 10, "maximumTotalLength" : 100000, "maximumValueLength" : 10000, "tolerateParsingWarnings" : true }, "description" : "", "metacharElementCheck" : false, "name" : "graphql_profile" } ], "name" : "waf_policy_withgraphql", "protocolIndependent" : false, "softwareVersion" : "16.1.0", "template" : { "name" : "POLICY_TEMPLATE_GRAPHQL" }, "type" : "security", "urls" : [ { "attackSignaturesCheck" : true, "clickjackingProtection" : false, "description" : "", "disallowFileUploadOfExecutables" : false, "html5CrossOriginRequestsEnforcement" : { "enforcementMode" : "disabled" }, "isAllowed" : true, "mandatoryBody" : false, "method" : "*", "methodsOverrideOnUrlCheck" : false, "name" : "/graphql", "performStaging" : false, "protocol" : "https", "type" : "explicit", "urlContentProfiles" : [ { "contentProfile" : { "name" : "graphql_profile" }, "headerName" : "*", "headerOrder" : "default", "headerValue" : "*", "type" : "graphql" } ] } ] } } Conclusion As the adoption of GraphQL increases, so is the likelihood of emergence of security threats tailored for this (comparatively) new Web API technology. The features present in Advanced WAF enable a solid response against GraphQL-specific attacks, while allowing for integration in the most advanced CI/CD-driven environments. Other resources UDF lab: AWAF advanced security for GraphQL in CI/CD pipeline Many thanks to Serge Levin for his contribution to this article.
