Security Hub

Bring your software development workflows to security

logo-graphql

GraphQL Injection

Business

Signals & Triggers

On GraphQL datastore access
If user input alters GraphQL query structure

Actions

  • Block the HTTP request Block the HTTP request
  • Block the user Block the user
  • Log request stack trace Log request stack trace
  • Log the malicious request Log the malicious request
  • Report an incident Report an incident

Notifications

  • Send an email to all team members Send an email to all team members
  • Send a Slack notification. Send a Slack notification.
  • Create an incident on PagerDuty (coming soon) Create an incident on PagerDuty (coming soon)

Details

GraphQL was built to delegate query capabilities to the client. In most cases, the query comes directly from the front-end application. It is then parsed and analyzed by the back-end server, and eventually delegated to other systems (like a SQL or NoSQL server, another API, …).

These systems can, in turn, be vulnerable to injections and be exploitet from a GraphQL query.

Let’s assume the application lists blog posts. The GraphQL query to list posts with a particular author is:

{
    author: “Jb"
}

This could be translated by the GraphQL code to SQL:

SELECT * FROM posts WHERE author = 'Jb'

If the parameters included inside the SQL query are not escaped, then the SQL query could be injected in something similar to:

{
    author: “Jb’ UNION SELECT * FROM users -- "
}

Resulting in the following SQL query being sent to the server:

SELECT * FROM posts WHERE author = 'Jb' UNION SELECT * FROM users -- '

Advanced details

When the application starts, the Sqreen library hooks the GraphQL library methods in order to catch queries originated from an unstrusted source.

Next, on every other plugin, Sqreen will ensure the GraphQL data is not involved in an attack.

No traffic redirection is performed. The analysis of the query happens inside the application, relying on Sqreen’s dynamic instrumentation of the GraphQL driver.

By being in-app and running just before the query is sent to the underlying server - the very last step happening in your application - we can guarantee a 100% non false positive detection and protection for injections originated from GraphQL.

Language support

  • Ruby
  • Node.js
  • PHP
  • Python
  • Java

Data collected by Sqreen

Signals

No data collected


On attack
  • GraphQL queries (striped from sensitive data)
  • Request payload
  • Attacker IP
  • Attacker account (Sqreen SDK)

Built for developers and modern apps

Get up and running in minutes just by installing our lightweight library. Enable plugins in just a couple of clicks.

  • Node.js
  • Ruby
  • PHP
  • Python
  • Java
  • 1
  • 2
  • 3
  • 4
  • 5
  • 6
  • 7
  • 8
  • 9

$ npm install --save sqreen

$ echo '{ "token": "your token" }' > sqreen.json

 

// This should be the first line of your app

require('sqreen');

$ echo "gem 'sqreen'" >> Gemfile

$ bundle install

$ echo "token: your token" > config/sqreen.yml

$ curl -s https://download.sqreen.io/php/install.sh > sqreen-install.sh && bash sqreen-install.sh your token

$ pip install sqreen

$ echo -e "[sqreen]\ntoken: your token" > sqreen.ini

 

# Insert at the top of your app file (typically wsgi.py or app.py)

import sqreen

sqreen.start()

$ curl https://download.sqreen.io/java/sqreen-latest-all.jar -o sqreen.jar

 

// Add JVM startup options:

-javaagent:/path/to/sqreen.jar -Dsqreen.token={{your token}}

Build amazing products. Keep them safe.

3 min installation · Try all features for 14 days · No credit card required Sign up Request demo