With its flexible querying capabilities, GraphQL makes it easy to combine data from multiple sources into a single endpoint. GraphQL and API management go hand in hand to build next-generation API platforms. 

However, GraphQL's features can also introduce security risks if not properly implemented.

In a talk at API Summit 2023, Tristan Kalos and Antoine Carossio (co-founders of GraphQL security testing company Escape) dug into the most common and most underestimated vulnerabilities unearthed by analyzing over 130,000 public GraphQL endpoints. In their research, which is gathered in The State of GraphQL Security 2023 report, they identified nearly 50,000 security alerts, 10% of which were critical.

So, how can GraphQL be prone to security issues? And what are the most common vulnerabilities developers need to watch out for? Let's break it down.

Why is GraphQL vulnerable?

GraphQL is vulnerable for two key reasons:

1. It’s powerful features open security gaps

The features in GraphQL that give it flexibility can also be exploited by attackers. For example, GraphQL allows batching and aliasing requests. This lets you send multiple queries in one HTTP request.

This is great for performance. But it also lets attackers bypass rate limiting enforced at the HTTP layer — meaning they can send hundreds of login attempts in one request to brute force credentials.

Another example worth calling out is GraphQL's recursive fragments. These allow developers to reuse query logic. But an unprotected GraphQL engine can be crashed with infinite recursion, creating a denial of service vulnerability.

2. It’s graph structure obscures access control

In GraphQL, every entity can be accessed via multiple paths. This makes it easy for developers to inadvertently expose access to sensitive data.

For instance, an admin mutation could be left unprotected under the assumption it's not publicly accessible. But if another path leads to it, an attacker could discover and abuse it.

Robust access control in GraphQL requires meticulous auditing of all possible paths — which is not exactly a trivial task.

The most common GraphQL vulnerabilities

Across over 1,600 scanned production apps, the team at Escape found both GraphQL-specific vulnerabilities along with plenty of classic API vulnerabilities. The most common GraphQL vulnerabilities they encountere include:

1. Brute forcing API requests

The aforementioned batching and aliasing features enable brute-forcing attacks even past rate limits. Expect account takeovers if login mechanisms aren't robust.

2. Denial of service

Unprotected recursive fragments create crashes. GraphQL's flexibility naturally risks resource exhaustion DoS attacks.

3. Internal API schema leak

Many GraphQL servers try to hide their schema, but the field suggestion feature can inadvertently leak it. Public tools like Clarivoyance automate schema reconstruction. This exposes private mutations. In one case, Escape took over an admin account by finding an unprotected password reset mutation.

API security vulnerabilities

Beyond the GraphQL-specific vulnerabilities, Escape also uncovered some classic API security vulnerabilities in their research that can’t be overlooked. Not surprisingly, there was much overlap between the vulnerabilities found and the OWASP API Security Top 10. 

API errors and stack traces disclosing internal data

The problem here is that Stack Traces give too much information on what’s vulnerable in your app. 

For example, when there’s a GraphQL error, it gives the precise path of the source code that created the problem. Using this, one could get information about the libraries used by this GraphQL endpoint — and then look up vulnerabilities that affect these libraries.

Access control issues

This is very common in GraphQL. Most routes writing data (mutation) aren’t supposed to be accessible without authentication. However, many GraphQL endpoints have bad access control implementation and thus an unauthorized user or a user with low-level authorization can access restricted data. 

Injection vulnerabilities

Believe it or not, injection attacks are still a major issue. Escape’s research uncovered SQL, NoSQL, and even Bash command injections in GraphQL services. This can lead to data theft if developers don't follow secure coding practices.

Other classic API flaws

GraphQL isn't immune to traditional security pitfalls. 40% of the discovered vulnerabilities were classic API issues, like broken authentication and access control. Notably, improper error handling exposed internal API keys and secrets. GraphQL doesn't inherently protect downstream dependencies.

Massive amounts of sensitive data exposed

Most alarmingly, Escape’s analysis discovered huge amounts of sensitive data leaked in public GraphQL endpoints, including:

• Personal identifiable information like emails, phone numbers, and passport details
• Private API keys and tokens for AWS, GCP, GitHub, Slack, etc.
• Hashed and even cleartext passwords

This data exposure could enable account takeovers, cloud resource hijacking, and identity theft. It highlights the pressing need for rigorous security controls in GraphQL services.

Conclusion

GraphQL opens new horizons for API development. With disciplined security practices, you can build the next generation of interfaces while keeping your data safe.

For this and other talks around all things related to APIs, check out on-demand sessions from API Summit 2023.