GraphQl API Security - Part 1: Introduction

February 9, 2024
API SecuritySecurityApiGraphQl

A Primer on GraphQL

What is GraphQL?

GraphQL is an open source query and manipulation language for APIs. Unlike traditional REST APIs, GraphQL allows clients to request exactly the data they need—no more, no less.

Core Concept

1query {
2users {
3  email
4  username
5}
6}

The above GraphQL query would return only email and username fields of all users—solving the common over-fetching and under-fetching problems REST APIs suffer from.

🔐 From a security perspective, this selective data access minimizes the risk of unintentional information disclosure (e.g., sensitive fields like passwords or PII).

Origins and Ecosystem

  • 🏢 Developed by Facebook in 2012.
  • 🌍 Open-sourced in 2015 with GraphQL.js.
  • 🎓 Now maintained by the GraphQL Foundation.
  • 🚀 Used by Facebook, GitHub, GitLab, Atlassian, and more.

Why GraphQL?

Real-World Use Case

Imagine a mobile weather dashboard querying multiple data sources. Instead of making many REST calls, GraphQL can retrieve all needed data in a single query—saving bandwidth and improving performance.

Specification = Your Hacking Blueprint 🔓

GraphQL has an official specification, acting like an RFC. Use it to:

  • Understand how GraphQL should behave.
  • Identify implementation bugs or spec deviation → often security flaws.

How GraphQL Works (High-Level Architecture)

1Client → POST → GraphQL Server → Query Parser → Resolver → Data Response

Key Components

  • Query Parser – Validates query against the schema.
  • Resolver Functions – Fetch data from DBs, REST APIs, or files.
  • Schema – Defined in SDL, e.g.:
1type User {
2username: String
3email: String
4location: Location
5}
6
7type Location {
8latitude: Int
9longitude: Int
10}

⚠️ Resolvers can become security hot spots—bugs here can lead to information disclosure, injection, or unauthorized access.

GraphQL vs REST APIs: Security Perspective

IssueRESTGraphQL
Over-fetchingETCommonAvoided via fine-grained queries
Under-fetchingCommonOne query = full dataset
Endpoint sprawlMultiple endpointsSingle /graphql endpoint
Verb-specificGET/POST/PUT/...Mostly POST (can allow GET)
Logging clarityClear from URL/methodAmbiguous (everything looks like POST)
VisibilityLogs expose endpointsNeeds deeper inspection or custom logging

🔍 GraphQL APIs can bypass WAFs or confuse logging systems due to nonstandard HTTP behavior.

Types of GraphQL Operations

  • query – Read-only data fetch.
  • mutation – Data manipulation (write, update, delete).
  • subscription – Real-time data via WebSocket.
1mutation {
2createUser(email: "test@example.com", username: "test")
3}
4
5subscription {
6userStatusChanged {
7  userId
8  newStatus
9}
10}

Security Note on Schema Relationships

One-way relationships (edges) are common, but two-way links (e.g., User ↔ Location) can introduce Denial of Service (DoS) risks due to cyclic queries.

GraphQL Playground: A Hacker's Best Friend

Tools like GraphiQL Explorer and GraphQL Playground allow introspection and autocompletion.

  • Helpful for learning and manual exploration.
  • Often publicly accessible.
  • Auto-generates docs, history, and field suggestions.

Example

Query:

1query {
2users {
3  email
4  history {
5    last_login_timestamp
6  }
7}
8}

Response:

1{
2"data": {
3  "users": [
4    {
5      "email": "david@example.com",
6      "history": {
7        "last_login_timestamp": ["02:03:37"]
8      }
9    },
10    {
11      "email": "chris@example.com",
12      "history": {
13        "last_login_timestamp": ["02:03:37", "03:05:55"]
14      }
15    }
16  ]
17}
18}