GraphQL Attack Surface 🕳️🔍

What Is an Attack Surface?

An attack surface is the set of all points where an unauthorized user can try to access or affect the system. Think of it like the doors, windows, and vents in a building that an intruder might exploit.

In GraphQL:

• 🧬 Every field, argument, type, and directive increases the attack surface.
• 💥 The complexity and flexibility of GraphQL = greater potential for abuse.

🧠 The GraphQL Language: From Client to Server

The GraphQL spec is divided into two parts:

1. Language – what clients write (queries, mutations, etc.)
2. Type System – what the server defines and validates against

Anatomy of a GraphQL Query

1query Anatomy {
2pastes(filter: "some title", public: true) {
3  title
4  content
5  ipAdrr @show_network(style: "cidr")
6}
7users {
8  username(capitalize: true)
9}
10}

🔄 Operation Types

1. query

• Basic data retrieval. Often abused to extract sensitive fields.

2. mutation

• Allows data modification. Risk: tampering with logic/data.

1mutation {
2editPaste(id: 1, content: "Hacked!") {
3  paste { id title content }
4}
5}

3. subscription

• Real-time data over WebSocket. Vulnerable to:
  • CSWSH (Cross-Site WebSocket Hijacking)
  • MITM attacks if not using TLS

🎭 Operation Names: Masking Malicious Intents

Operation names are arbitrary:

1query getPastes { pastes { title } }
2query deleteAll { pastes { content } }

A malicious actor can name destructive queries with innocent names to mislead defenders.

Dangerous: These names might be stored in logs or third-party tools, making them a vector for injection or confusion.

🧩 Fields and Arguments

Fields = what we request. Arguments = how we control that request.

1query {
2users(active: true) {
3  email
4}
5}

• Arguments are often user-controlled ➤ susceptible to injection, type confusion, or validation bypasses.
• Strong typing does not replace input validation.

🧪 Aliases: Double the Trouble

Aliases rename fields to avoid conflicts, but they also:

• Allow response key manipulation
• Obfuscate request intent
• Enable DoS tricks (like overloading or duplication)

1query {
2publicPastes: pastes(public: true) { title }
3privatePastes: pastes(public: false) { title }
4}

🔗 Fragments: Circular DoS Landmines

Fragments group reusable fields:

1fragment CommonFields on Paste {
2title
3content
4}
5
6query {
7pastes {
8  ...CommonFields
9}
10}

💣 Fragments referencing each other (circular) = DoS potential.

💼 Variables

Variables help optimize query reuse and reduce dynamic string building:

1query getPastes($public: Boolean!) {
2pastes(public: $public) {
3  title
4}
5}

Like arguments, they are user-input vectors.

🧬 Directives

1query {
2user @include(if: true) {
3  username
4}
5}

Used for conditional logic. Custom directives = powerful but risky if poorly validated.

⚠️ Vulnerable or unvalidated custom directives can introduce RCE or logic flaws.

🧱 The Type System: Objects, Scalars, Enums, Unions

• Object Types – app-specific data structures (e.g., User, Paste)
• Scalars – built-in types like String, ID, Boolean
• Custom Scalars – IP, DateTime, etc. Beware of insecure libraries (e.g., CVE-2021-29921 in Python ipaddress lib).
• Unions / Interfaces / Inputs – Add flexibility, but more edge cases to abuse

🔍 Introspection

The __schema and __type fields let clients see the entire schema.

1{
2__schema {
3  types {
4    name
5  }
6}
7}

• Great for devs and pentesters
• 🔥 Horrible if left enabled in production

🛠 Validation & Execution

GraphQL servers have different validation implementations, leading to:

• 📊 Fingerprinting
• 🔍 Bug discovery

Use tools like:

• GraphQL Threat Matrix
• Graphw00f

⚠️ Common Weaknesses Summary