The Burp Scanner’s new GraphQL capabilities allow it to recognize known endpoints, locate hidden endpoints, determine whether introspection or recommendations are enabled, and report when an endpoint fails to validate the content type.
Portswigger, the firm behind the renowned web application security testing tool Burp Suite, has announced that Burp Scanner’s new GraphQL checks will automatically indicate multiple instances of GraphQL vulnerabilities during penetration testing.
In most cases, implementation and design problems lead to GraphQL vulnerabilities. Attacks using GraphQL often take the form of malicious requests that provide the attacker access to data or allow them to carry out unauthorized operations.
These attacks may be quite damaging, especially if the user manages to obtain administrator rights by tampering with queries or using a CSRF vulnerability. Information disclosure problems may also result from GraphQL API vulnerabilities.
Identify GraphQL API Flaws
Burp Scanner makes it easy to find the GraphQL endpoint on websites rather than having to manually search through them.
“We’ve defined some passive and active scan checks to find known endpoints automatically, allowing you to focus on finding the vulnerabilities,” the company stated.
When deploying a GraphQL endpoint to production by accident, for instance, a developer can do so without using it on the website.
Even if a site isn’t utilizing GraphQL, Burp Suite will search for common endpoints and finds hidden deployments.
Given that a vulnerability will likely be discovered if it’s an unintentional deployment, these endpoints might be an invaluable resource for a tester.
Introspection lets you execute a query on the real schema to discover what queries it supports. Because a website might not wish to reveal the inner workings of its API to the public, it is frequently disabled in production.
Burp will detect whether introspection is enabled; while this isn’t a vulnerability in and of itself, it may be beneficial to a tester to help test the site and to a developer to serve as a reminder to turn it off in production.
Further, the company stated that to assist in creating a proper query, certain GraphQL servers, such as Apollo, will offer recommendations when you submit an incorrect query.
Hence, even with introspection turned off, a tester may still utilize this to identify the underlying schema by using a word dictionary and the suggested answer as an oracle.
A valid schema may be created from a dictionary using a tool like clairvoyance. You may locate endpoints with recommendations enabled and report them using Burp.
A POST method with an application/json content type is used by the majority of GraphQL endpoints.
A browser cannot make this request without utilizing CORS (Cross-origin resource sharing ) if the content type is appropriately verified since sending the proper content type will be impossible.
This protects the endpoint against CSRF (Cross-site request forgery).
However, it may be feasible to abuse the GraphQL endpoint by forging queries if a site does not check the content type and does not utilize a CSRF token, provided mitigations like SameSite cookies may be disregarded or neutralized due to the SameSite None flag.
Burp will alert the user if a POST request with application/x-www-form-urlencoding or a GET request to the endpoint may be forged.
Conclusion
One of the most well-liked approaches to creating APIs and data-driven apps is now GraphQL. Traditional REST APIs provide a predetermined set of endpoints and replies, but GraphQL enables clients to query for just the data they want, increasing flexibility and efficiency for both client and server.
Knowing the most recent tools will help penetration testers uncover the most recent vulnerabilities. Today’s websites frequently employ GraphQL APIs, which expose the attack surface for a variety of security problems.
“AI-based email security measures Protect your business From Email Threats!” – Request a Free Demo.