Scanning GraphQL APIs for vulnerabilities
Acunetix can scan GraphQL APIs. This document explains how you can import a GraphQL schema to a target or link to a hosted location where your GraphQL API definitions are held, and then scan for vulnerabilities in your GraphQL APIs. For information about GraphQL and the security issues in GraphQL, refer to the sections at the end of this document.
IMPORTANT: Scanning APIs in production Scanning production APIs should be conducted with care. Some scanning methods may result in data deletion. We recommend you:
|
How to scan a GraphQL API for vulnerabilities
To scan a GraphQL API for vulnerabilities with Acunetix, you must provide the scanner with access to the API definitions. There are two ways to do this:
- Option 1: Import from a file
- This method involves uploading a GraphQL schema to a target.
- Option 2: Link to a URL
- This method adds a link from a target to the URL where the API definitions are located.
Once you start a scan of that target, Acunetix will parse the imported GraphQL schema or access the linked URL and add the necessary GraphQL requests to the scanner. The following sections outline each method and provide instructions for starting a scan of your GraphQL APIs.
Option 1: Importing from a file
Importing a GraphQL schema to a target means that whenever your GraphQL API is updated, you will need to replace the imported schema file to ensure you are scanning the latest version of your GraphQL API.
How to import a GraphQL schema to a target
- Ensure your GraphQL schema is accessible for upload on the machine where you are accessing Acunetix.
- The following file formats are supported: .graphql and .json.
- Log in to Acunetix and select Targets from the left-side menu.
- Select the target address to which you will import the GraphQL schema. The Target Settings page will open.
- Scroll down to the Import Files / API Definitions section and click the upload icon in the Choose File field.
- Locate and select your GraphQL schema file, then click Open.
- The file will upload automatically and will be listed in the Import Files / API Definitions section of the Target Settings. The GraphQL schema is now imported to the target.
TIP: If you want to scan only the imported GraphQL schema and not all the other paths belonging to the target, enable the checkbox next to Restrict scans to import files and click Save before starting the scan. |
- The GraphQL schema file is now imported to the target. If your API contains an authentication mechanism, ensure you add the necessary authentication credentials to the target settings before starting a scan. For instructions, refer to Scanning authenticated APIs.
- Click Scan to prepare a scan of the target, including the imported GraphQL schema.
- Select Full Scan as the Scan Profile. Complete the remaining scanning options according to your preference, then click Create Scan.
The Scan Details page loads and your scan begins according to the schedule you specified.
TIP:
|
Option 2: Linking to a URL
Linking a URL to a target means you are adding the URL of the hosted location where your GraphQL API definitions are held. This allows Acunetix to always scan the latest version of your GraphQL API without the need to provide a new schema each time your API is updated.
IMPORTANT: Linked URLs are accessed by the engine. This means the engine or internal agent (if using one for the target) needs to have access to any linked URLs. |
How to link a URL to a target
- Log in to Acunetix and select Targets from the left-side menu.
- Select the target address to which you will link the URL of your API definitions. The Target Settings page will open.
- Scroll down to the Import Files / API Definitions section and click Link From URL.
- Enter the URL where your GraphQL API definitions are hosted, then select Link API definition.
- The URL will immediately be listed in the Import Files / API Definitions section of the Target Settings. It has now been linked to the target.
TIP: If you want to scan only the linked API definition and not all the other paths belonging to the target, enable the checkbox next to Restrict scans to import files and click Save before starting the scan. |
- The URL is now linked to the target. If your API contains an authentication mechanism, ensure you add the necessary authentication credentials to the target settings before starting a scan. For instructions, refer to Scanning authenticated APIs.
- Click Scan to prepare a scan of the target, including the linked API definition.
- Select Full Scan as the Scan Profile. Complete the remaining scanning options according to your preference, then click Create Scan.
The Scan Details page loads and your scan begins according to the schedule you specified.
TIP:
|
About GraphQL
GraphQL is a query language for APIs developed by Facebook in 2012 and released in 2015. The query language makes it easier and quicker to get data from a server to a client via an API call.
- GraphQL is designed to prioritize providing clients with exactly the data they request. This prioritization, therefore, prevents large amounts of data from being returned.
- It lets you make more complicated queries that reduce the number of API requests that must be made.
- All input data is type-checked against a schema defined by the developer, assisting with data validation.
Key concepts in GraphQL
Concept | Description |
Schema | A GraphQL schema is at the heart of any GraphQL server implementation. The schema describes the functionality available to the clients that connect to it. |
Mutation | A GraphQL operation that creates, modifies, or destroys data. |
Introspection | A special query that enables clients and tools to fetch a GraphQL server's complete schema. |
Query | A read-only fetch operation to request data from a GraphQL service. |
Security issues in GraphQL
There are a number of security issues in GraphQL. This section briefly explains four of these security issues.
Authorization issues
This is one of the most common security issues in GraphQL.
- Implementing authorization can be confusing and tedious.
- Since there are various connections between different types, there can be many routes to the same data. Therefore, if you do not implement the authorization checks consistently or in a central place, you can run into issues.
- Also, GraphQL does not automatically take care of this authorization.
Denial of service
Via stacking queries, you force the server to repeatedly issue requests, write to a log file, or execute other resource-intensive operations.
- This is a simple Denial of Service attack vector and is hard to prevent but easy to abuse.
- There are almost no requirements on the attacker's side to exploit this. Attackers can type the whole payload, for example, into their mobile phones and launch an attack.
Secondary contexts path traversals
It can be dangerous to talk to microservices via your API. This is not specific to GraphQL but affects GraphQL in the same way that it affects other APIs. Without proper sanitization, you may be able to interfere with the communication with microservices.
Discovery
If attackers find a GraphQL endpoint without additional content, they may have a hard time understanding what it does and what it accepts. But, there are a few tricks they can use to figure out what input the API expects, such as:
- Auto-correct
- Introspection