Scan GraphQL APIs for vulnerabilities

This document is for:

Invicti Platform

Invicti Platform can scan GraphQL APIs. This document explains how you can import a GraphQL schema to a target or link to a hosted location where your GraphQL API definitions are held, and then scan for vulnerabilities in your GraphQL APIs. For information about GraphQL and the security issues in GraphQL, refer to the sections at the end of this document.

Scanning APIs in production

Scanning production APIs should be conducted with care. Some scanning methods may result in data deletion. We recommend you:

Carefully consider the permissions (authentication) you provide and which methods (PUT, POST, DELETE) are used.
Manually exclude API operations (methods with endpoints) from the uploaded/linked file to prevent destroying or making undesirable changes to the production application.

This document explains how to scan a GraphQL API for vulnerabilities in Invicti Platform.

How to scan a GraphQL API for vulnerabilities

To scan a GraphQL API for vulnerabilities with Invicti, you must provide the scanner with access to the API definitions. There are two ways to do this:

Option A: Import from a file

This method involves uploading a GraphQL schema to a target.

Option B: Link to a URL

This method adds a link from a target to the URL where the API definitions are located.

Once you start a scan of that target, Invicti will parse the imported GraphQL schema or access the linked URL and add the necessary GraphQL requests to the scanner. The following sections outline each method and provide instructions for starting a scan of your GraphQL APIs.

Option A: Import from a file

Importing a GraphQL schema to a target means that whenever your GraphQL API is updated, you will need to replace the imported schema file to ensure you are scanning the latest version of your GraphQL API.

How to import a GraphQL schema to a target

Ensure your GraphQL schema is accessible for upload on the machine where you are accessing Invicti.

The following file formats are supported: .graphql and .json.

Select Inventory > Targets from the left-side menu.
Click (⋮) > Edit target by the target to which you will import the GraphQL schema. The Configure target page will open.
Click Scan Configuration to navigate to the API specification section and click the Upload specification button.

Upload API specification in Invicti Platform.

Select GraphQL Schema/Introspection from the drop-down, choose your file, then click Upload file. The file will upload automatically and will be listed in the API specification section of the Scan Configuration.

Upload GraphQL API specification file.

If you want to scan only the imported GraphQL schema and not all the other paths belonging to the target, select Yes next to Restrict scans to imported files and save before starting the scan.

The GraphQL schema file is now imported to the target.
To initiate a scan at a later time, click Save Target Configuration. To begin scanning the target now—including the imported file—click Save and Scan. Selecting Save and run scan with defaults will run a full scan automatically.

When the scan is complete, check the Vulnerabilities tab on the Scan details page for information about detected vulnerabilities in your GraphQL API, which will be marked with an API tag next to the severity label.
Filter the list by Target type > API only to limit the displayed results to vulnerabilities identified in your GraphQL API.
For more information about viewing scan results and vulnerabilities, refer to the following documents:

Option B: Link to a URL

Linking a URL to a target means you are adding the URL of the hosted location where your GraphQL API definitions are held. This allows Invicti to always scan the latest version of your GraphQL API without the need to provide a new schema each time your API is updated.

Linked URLs are accessed by the engine. This means the engine or internal agent (if using one for the target) needs to have access to any linked URLs.

How to link a URL to a target

Select Inventory > Targets from the left-side menu.
Click (⋮) > Edit target by the target to which you will link the GraphQL schema. The Configure target page will open.
Click Scan Configuration to navigate to the API specification section and click Link from URL.

Link URL to API specification in Invicti Platform.

Select GraphQL Schema/Introspection from the drop-down, Enter the URL where your GraphQL API definitions are hosted, then click Link API specifications.

The URL will be listed in the API specification section of the Scan Configuration.

Link GraphQL schema or introspection from URL.

If you want to scan only the linked API definition and not all the other paths belonging to the target, select Yes next to Restrict scans to imported files and save before starting the scan.

The URL is now linked to the target.
To initiate a scan at a later time, click Save Target Configuration. To begin scanning the target now—including the linked specification—click Save and Scan. Selecting Save and run scan with defaults will run a full scan automatically.

When the scan is complete, check the Vulnerabilities tab on the Scan details page for information about detected vulnerabilities in your GraphQL API, which will be marked with an API tag next to the severity label.
Filter the list by Target type > API only to limit the displayed results to vulnerabilities identified in your GraphQL API.
For more information about viewing scan results and vulnerabilities, refer to the following documents:

About GraphQL

GraphQL is a query language for APIs developed by Facebook in 2012 and released in 2015. The query language makes it easier and quicker to get data from a server to a client via an API call.

GraphQL is designed to prioritize providing clients with exactly the data they request. This prioritization, therefore, prevents large amounts of data from being returned.

It lets you make more complicated queries that reduce the number of API requests that must be made.
All input data is type-checked against a schema defined by the developer, assisting with data validation.

Key concepts in GraphQL

Schema - a GraphQL schema is at the heart of any GraphQL server implementation. The schema describes the functionality available to the clients that connect to it.
Mutation - a GraphQL operation that creates, modifies, or destroys data.
Introspection - a special query that enables clients and tools to fetch a GraphQL server's complete schema.
Query - a read-only fetch operation to request data from a GraphQL service.

Security issues in GraphQL

There are a number of security issues in GraphQL. This section briefly explains four of these security issues.

Authorization issues

This is one of the most common security issues in GraphQL.

Implementing authorization can be confusing and tedious.
Since there are various connections between different types, there can be many routes to the same data. Therefore, if you do not implement the authorization checks consistently or in a central place, you can run into issues.
Also, GraphQL does not automatically take care of this authorization.

Denial of service

Via stacking queries, you force the server to repeatedly issue requests, write to a log file, or execute other resource-intensive operations.

This is a simple Denial of Service attack vector and is hard to prevent but easy to abuse.
There are almost no requirements on the attacker's side to exploit this. Attackers can type the whole payload, for example, into their mobile phones and launch an attack.

Secondary contexts path traversals

It can be dangerous to talk to microservices via your API. This is not specific to GraphQL but affects GraphQL in the same way that it affects other APIs. Without proper sanitization, you may be able to interfere with the communication with microservices.

Discovery

If attackers find a GraphQL endpoint without additional content, they may have a hard time understanding what it does and what it accepts. But, there are a few tricks they can use to figure out what input the API expects, such as:

Auto-correct
Introspection