Beyond REST: Protecting GraphQL
GraphQL GraphQL is a query language for APIs developed by Facebook, that provides an efficient and flexible alternative to traditional RESTful APIs. It allows clients to request only the data they need, avoiding over-fetching or under-fetching of information. GraphQL enables developers to specify the structure of the response they want, making it easier to aggregate data from multiple sources in a single request. This adaptability is particularly advantageous in scenarios where mobile or web applications require diverse sets of data. As a result, GraphQL has become an attractive alternative for many developers and organizations looking to capitalize on this flexibility and possible performance improvements. Introspection Introspection is a feature that allows clients to query the schema of a GraphQL API at runtime. It allows for the dynamic exploration of types, fields, and their associated information, giving clients the ability to create documentation, validate queries, and understand the structure and capabilities of the GraphQL server. Security Considerations While GraphQL offers numerous advantages in terms of flexibility and efficiency, it also introduces unique security considerations that warrant attention. One notable concern is the potential for unintentional data exposure due to its introspective nature. Additionally, GraphQL's ability to execute multiple queries in a single request creates the risk of resource exhaustion through complex or nested queries, leading to denial-of-service (DoS) vulnerabilities. Furthermore, the dynamic nature of GraphQL schemas makes it crucial to implement proper input validation to prevent malicious queries or injections. Understanding and addressing these security risks is paramount for ensuring the robustness of GraphQL-based systems, and it underscores the importance of incorporating effective security measures into the development, deployment, and runtime processes. Protecting GraphQL with F5 Distributed Cloud GraphQL Discovery: GraphQL discovery plays a pivotal role in the comprehensive API discovery process within the F5 Distributed Cloud WebApp and API Protection service. This ensures that developers, security architects, and administrators gain visibility into and information about the available GraphQL endpoints. GraphQL Inspection: Inspection is a fundamental component of protecting GraphQL, offering granular control over security parameters. By setting limits on the maximum total length, maximum structure depth of a GraphQL query, and imposing restrictions on the maximum number of queries in a single batched request, the service can mitigate the risk of DOS attacks and ensures optimal system performance by preventing excessively complex or resource-intensive requests. Disabling introspection queries further enhances security by limiting the exposure of sensitive API details, reducing the attack surface and reinforcing overall GraphQL security. Conclusion Since its development in 2012, adoption of GraphQL has witnessed a steady growth year-over-year. The efficiency and power of the API has made it a popular choice with many development teams. With an ever-increasing threat surface and a high potential for attack, organizations must prioritize safeguarding their users by investing in robust security. As part of a Defense in-Depth security strategy, the F5 Distributed Cloud WebApp and API Protection service can help ensure your GraphQL APIs are protected from abuse. F5 GraphQL Inspection and Protection Demo Additional Resources Deploy F5 Distributed Cloud API Discovery and Security: F5 Distributed Cloud WAAP Terraform Examples GitHub Repo Deploy F5 Hybrid Architectures API Discovery and Security: F5 Distributed Cloud Hybrid Security Architectures GitHub Repo F5 Distributed Cloud Documentation: F5 Distributed Cloud Terraform Provider Documentation F5 Distributed Cloud Services API Documentation
UCS restore via REST with additional options
For our DR site I am restoring periodically some VCMP in the remote site using our local UCS backups. As the hardware platform differs, it seems that I need to put additional options like no-platform-check and platform-migrate like in this CLI command: tmsh load sys ucs /var/local/ucs/<ucs-files> no-platform-check platform-migrate The restore via CLI works using the additional options, without them it fails. Using REST /mgmt/tm/sys/ucs is it possible to use options like no-platform-check platform-migrate ? Apparently it is not possibile, or at least not well documented. I need these options otherwise the restore fails. Thank you for your suggestions!
REST API to download License JSON report?
Hi, I'm completely new to F5 Big-IQ, but have plenty of experience writing API integrations. I've been asked to pull data from an F5 Big IQ instance, specifically the data held in the License Reports section (License Management->Reports). I can manually perform this by selecting the report and clicking download... ...the browser then downloads a lump of JSON that I can view. Is this possible to perform via a REST API (so I can consume the JSON into a database)? Thanks
Import PKCS 12 SSL to Device Certificate via API/Script or CLI on BIG-IP
We have more than 160 BIG-IP Virtual Edition with version 15.1.10.3 build 0.0.12. We need to import, in each one, an SSL Certificate in PFX/PKCS 12 format in the path System ›› Certificate Management: Device Certificate Management: Device Certificate. We looked in the documentation and the KB but we couldn't find a way to do it. Has anyone dealt with this and have a solution to do it via Script, CLI or API? Thank you.BIG-IP Next HA Pair Onboarding REST API
I've been playing around with BIG-IP Next in my home lab for the past few days and have managed to successfully onboard an HA pair of BIG-IP Next instances via the BIG-IP Next Central Manager GUI. I am now trying to do the same thing, but this time with the REST API. However, when I attempt to do this, I receive the following error when checking the onboarding task from Postman : "failure_reason": "failed to save details about new onboarding node (address 10.1.0.242)", I am using the following JSON documented under the 'Deploy an Onboarding Manifest' heading (I have just substituted the property values to reflect my lab environment) and I am sending the API call to the Central Manager management IP. https://clouddocs.f5.com/products/big-iq/mgmt-api/v0.0.1/ApiReferences/bigip_public_api_ref/r_openapi-next.html#operation/DeployOnboardingManifest Out of interest, has anyone managed to get this working?
Finding all virtual servers with "log all traffic" policy applied via API
Hello, I am trying to locate virtual server configs in my F5 environment that are configured to log all traffic requests. Obviously, this has a detrimental impact to F5 logging performance. Is there a way to use the TMSH shell or REST API to interrogate the F5 appliance via a script and get a listing of all virtuals that use a "log all traffic" policy so I can change the policy and give our logging servers a bit of respite? Thank you, KyleREST API authorization in a cronjob, recommendation
I'd like to run an automatic script via cronjob to trigger REST API calls on a BIG-IQ (the script is located on the BIG-IQ itself). What possibilities are available in regards to authorization, especially from a security point of view, meaning avoiding placing credentials in the script. Is there maybe an option to use mutual SSL as trust? Right now doing manual testing I first create a token with basic credentials and then doing the REST-call with this token. But having an automatic script, there is no posibility to enter the password, means it needs to be placed somewhere. Any ideas would be very helpful. Thank you! Regards Stefan 🙂
How can I Delete certificate via REST API?
Hello, I created a Client SSL Certificate and now I am trying to delete it from my F5 via REST API, I tried to use this article: https://clouddocs.f5.com/products/big-iq/mgmt-api/v7.0.0/ApiReferences/bigiq_public_api_ref/r_adc_ssl_cert.html This is the syntax of the command that I am typing: (this command supose to show me all my certificates, no?) curl -sk -u admin:Aa123456 -H "Content-Type: application/json" -X GET /mgmt/cm/adc-core/working-config/sys/file/ssl-cert all I got after executing this command is nothing. Also when I trying to excute this command, I get the same result, nothing happens curl -sk -u admin:Aa123456 -H "Content-Type: application/json" -X DELETE /mgmt/cm/adc-core/working-config/sys/file/ssl-cert/cert_name Please somebody explain to me what I am doing wrong
