One good thing about GraphQL is that the query language makes it easy to interact with structured data and perform multiple actions with a single API call. However, that same flexibility makes APIs built using GraphQL more difficult to secure, potentially exposing more data than intended.
Salt Security recently updated its Salt Security API Protection Platform to offer more robust tooling for securing GraphQL APIs. The tools rely on artificial intelligence and machine learning to generate a baseline of normal API behavior and identifying malicious efforts when the actors are probing the APIs as part of their reconnaissance activities. The company’s goal is to proactively provide developers with tools for securing these APIs before the attacks become more commonplace.
GraphQL is an open source data query language that is gaining traction among many developers as a declarative alternative to REST APIs for fetching data. Originally developed by Facebook and open sourced in 2015, GraphQL enables clients to specify exactly what data it needs from an API and underlying services without writing parsing code. GraphQL is organized in terms of types and fields rather than traditional endpoints.
Developers like GraphQL because it is very efficient to exchange information, but its call and response format introduces new risks, says Elad Koren, chief product officer of Salt Security. GraphQL APIs can include many nested requests inside a single API call, which adds to its complexity.
“The biggest advantage is the ability to request exactly what is needed — not more, not less,” Koren says. “But that is also a significant vulnerability, since the data is not limited by structure, and it relies on the API to be properly constructed.”
Something that would be a minor permissions and authorization issue in the REST API limited to subset of endpoints could wind up creating a significant attack surface in GraphQL, Koren says.
GraphQL developers will be able to use Salt Security’s platform to discover APIs and where they expose sensitive data, mitigate data exposure, stop attacks, and eliminate vulnerabilities, the company says. The platform parses the complex structure of the GraphQL queries to identity unique object entities, and builds a complete inventory of GraphQL APIs. This information is used to analyze how each user and API behaves in the day-to-day use of all the APIs to generate a baseline of normal behavior. This way, the platform can identify malicious actors as they probe and interact with the API during the reconnaissance phase of the attack.
It’s worth noting that attacks targeting weaknesses in GraphQL APIs are relatively rare in the developer world, but that may change as the query language grows in popularity. Standard forms of REST APIs are currently the most targeted only because they’re so much more prevalent, Koren says.
Malicious actors have already begun developing attack techniques targeting GraphQL capabilities such as nested queries and query batching — a form of brute-force attacks — to run denial-of-service attacks, Koren says. The attackers can launch a DoS by using nested queries that increase the load on the API.
Attackers have taken advantage of the complex access control structure in GraphQL to uncover and exploit critical vulnerabilities, Koren says. It would also be possible to use authorization information to propagate a BOLA (broken object level authorization) or BFLA (broken function level authorization) attack.
Underscoring the growing awareness that APIs need to be protected, Data Theorem recently launched its Active Protection suite, which protects the client layer (mobile and Web), the network layer (REST and GraphQL APIs), and the underlying cloud infrastructure.
A 2020 RapidAPI survey found that GraphQL is used by 22.5% of API developers. The number of developers using GraphQL doubled between 2019 and 2020, and the pace of adoption is expected to accelerate even more.