We Taught Burp To Speak GraphQL: Automated Security Scanning Of Your GraphQL API With Burp

hey everybody um so uh I'm going to talk about graphql I'll talk about what it is some of you don't know what it is um but at the end of the day we're trying to hack systems that use graphql so that's that's our end game uh and we want to do it without spending much time so um reset my timer here okay let me know we good good we're good okay so uh burp is my tool of choice so we taught burp how to speak graphql because it did a pretty bad job of it before and still does until you install this thing uh this is me these are some things that I've done I've done software

development for like 16 years mostly in web apis uh been doing security for five years professionally and before that like most of you I was also doing all the other things unprofessionally um I've got my oswe so I am an expert a certified expert in web exploitation don't question me on that um and Azure but that's not related to this talk uh okay so um I want to know just who I'm talking to so I know how to Target the talk so how many people by show of hence have even heard of graphql that says a little more than half okay okay next question but keep your hands up just so because I'm not so

fast uh who uses burps s okay who has used burp site most people okay um so now we're going to get a fewer hands who has pent tested graphql before okay I see a familiar face in the back hey how's it going um and who has pent tested with burp who has pent tested graphql with burp okay you people are going to be really happy at the end of this talk okay so um here's the here's what we're going to do we intro we're already done we're going to talk about what graphql is uh for those of you who don't know because most of you do know it's going to be kind of high level but I'll explain it

enough that the rest of you can still it'll still be possible to follow along then I'm going to talk about what its weaknesses are how to attack it what uh currently is out there um you know there's some something I don't go over in here is that there are commercial tools that do this but they're commercial tools this is a free tool and it works for burp which I like because I don't like having whole Suite of tools I like having one Central Tool personally uh then I'll talk about how it works then I'll do a little demo and then you can ask me questions okay so what even like is graphql um so they call it a query

language for API you're familiar with rest apis um it's just a different body format I mean there's more to it but when you send a request from the browser to the server the only thing that's different about graphql is that the body is is formatted differently there's like a Json object and inside there there's a query property and inside there there's the query which is not quite a Json object itself but it's Json like I've got sort of like you can see at the top here the request looks like Json it's not exactly but the response is Json um the whole idea the whole reason people are using it and the reason it's getting adoption is because you can have

just one NP endpoint in your API the SLG graphql and then you treat it like a qu language right so the same way you would quer your database uh except you're using this language Instead This format so you have a schema just like your database would have a schema your application layer would have a schema uh the types of things that you want people to be able to access so like your login uh would be defined on the schema your users are defined on the schema the things that you uh the things that your website does so the example I'm going to use when I do my demo some of you may have heard of

the damn vulnerable web app um there's a bunch of different ones these are intentionally vulnerable apps made for testing tools and stuff this one is the damn vulnerable graphql app I didn't make it but I've been using it a lot to um test uh so on that application I'll show you it's got like um the it's like a paste bin type of thing so they'll have um you can query for pastes you can query for paste by user that kind of thing okay that's why people are using graphql that's why it's cool rest API you got to Define every single endpoint uh this just have one and you def find a schema and then the front end and the

people who make your front end can go in and you know that it gives them a little bit more freedom to be able to do what they want to do um the thing is it's pretty new uh and people don't realize that it's just as vulnerable as your rest API plus it comes with some bonus vulnerabilities which I won't really get into too much it's not what my tool does but they're deny a service related um and not all of them are success suceptible to it so it's not it's not my focus um but essentially like one of the things you might notice is I'm looking here for the hero and their name but maybe one of these fields is their

friend right uh so I can search for their friend so hero and then underneath that we have friend and then underneath that we might have friend and then underneath that we might have friend so by doing that you can have a huge deep nested query sometimes there are cyclical queries and it can cause a denial of service most of the modern graphql uh libraries now have like a protection against that which is why you know uh we're moving away from focusing on that the other thing that's cool is that it self doents so it's got a schema that you define and then there's actually a special kind of query which I'll get into later so you would send a

request just like this except it doesn't look like hero name and height you request the schema and you get back the entire schema it's really helpful for hackers it's helpful for the front end it's it's there for a reason um is it vulnerable is it a vulnerability it's a good question there's different schools of thought on this um but uh there's a good reason to have it available uh and we use it to uh to to make this application to make our plugin work which we'll get into uh graphql so just a little bit more explanation in your in your application code what you're going to do the way you make it work just so it's

not some like magic you import let's say you're running node it works for other systems but for node most people are familiar with there's a graphql library you import and um then it's got built-in functions where you define the schema and the SCH kind of looks like the request in a way it looks sort of like what we're making here uh but you'll Define more than just your hero and all sorts of things right so the schema is like that but much much larger uh then you also Define the resolvers so because you don't have it's not like Express where now you have an endpoint and then you make a function and then you do something when somebody

calls that endpoint instead now you have resolvers because somebody's going to call uh your graphql end point with a schema and you're not going to know what the schema looks like I mean you're not going to know what the request looks like because they could make it look like anything that fits the schema so uh you have these resolvers that are sort of like they they wait for a request and they look for what kinds of things you're trying to ask for and then the resolver is where the logic goes and it will do the input validation but it'll also do or not do it which is what we're banking on and most of the

time doesn't have it and then it'll go and say like oh if she if someone's trying to fetch a hero maybe that's in the database or maybe that's uh cached or something so the the application logic now goes and does that okay another thing you need to know about graphql is that there's three types of queries in graphql uh there's a query which is like a it's kind just like a get request you're just uh fetching data query should not change data it only reads data out of the out of the application out of the API a mutation is more like a post by the way it's all done on the post method but just for explanation oh my God that

lunch is really give me a little Burpee pose so uh mutation is kind of like a post where it it takes input and it'll change something so what we haven't seen yet in this request you haven't seen where there's input and we'll get to that I mean you sort of see these inputs but these are defined property names in the schema like you couldn't put name you couldn't put first name last name you only can put name because the schema doesn't know about first name or last name you would get back an error message uh okay so now let's talk about that self-documenting thing introspection um this is Sigman for Sig big Sigman fory big fan of introspection

uh so it's a special kind of query right uh you saw the original one where we're looking for a hero this one we're looking for the schema um you can Google what an introspection query looks like and just download it it's really just like one particular one particular request uh it can look like anyways you can you can find it it's a string you can use it you get the schema uh it fetches the entire schema um useful for the front end is it vulnerable I sort of went over that um some people will some schools of thought say that um you should turn it off um because it gives attackers you know more visibility into

your platform um but you know it's uh then it's loses graph sort of uses some loses some of its usefulness um because then you have to you have to tell the friend exactly what types of things that can query for but uh yeah but if you're really like if you're trying to build a you know the the web API for Fort Knox you would turn it off but for anything else you might leave it on um so this is burp right it knows rest apis really well and it uses the active scanner so if anybody has not used the active scanner essentially it's like a pointand click adventure for hacking uh it doesn't exploit anything but it's

vulnerability hunting so you'll click around on your website and if it's a rest API burp if the active scanner is turned on Burp looks at everything you're doing through the proxy and it goes oh that's a rest API that's a Json object I know where I can inject things this is the value of a Json object this is the value for a for a post request you know um and it loves R rest apis it's delicious um but uh it does not know how to inject into graphql which makes sense it's new it's the format looks a bit wonky um and so that's what I sought out to fix because right now and I'll get into it

later what a what what it currently looks like when you use uh the active scanner for for graphql request okay so we need to find some safe injection sites uh so you see in excuse me on the left side it takes a parameter this is our first view of a parameter here um so you're looking for a human and you're looking looking for the human with the ID of a thousand um now they've decided to put this in string format you you can have your input be uh there's a lot of built-in types you can also Define your own types but the built-ins are going to be your standard strings and integers things like that you can also use enums

so foot is an En is an enum um so probably you're not going to have much success fuzzing on foot on that enum on unit uh because it's they'll be predefined right but you might have some success if there isn't proper input validation just like you would see in any rest API and that's kind of the magic of hunting vulnerabilities uh in graphql is that it's not any different than the same kinds of mistakes we make with rest apis this is just I'm going to teach you now how to do that with graphql because most of you probably not done this or not seen it and by show of hands that's true um so this would be our injection point

the 1,000 that's a string we're going to start shoving stuff in there and we got to tell burp how to shove stuff in there and by the way the reason I use use the active scanner and the reason I wanted to make this work for the active scanner is that active scanner is great of course there's Intruder which some of you may have heard of it's another burp feature where you have a big payload you tell it where to stick the payload and you just say go and it's maybe your it's a huge list of payloads that are all SQL injection or something more relevant today like uh you know ssrf injection or something like that

um so that's good but then you have to actually look at each of the results and Visually par like does this was this an error was is this a good result is this something that I can use the active scanner does that automatically some of you may know this already it does that automatically does what Intruder does but it also looks at the results and is smart enough to be able to parse the result and go oh this looks like this smells to me like it might be some kind of code injection uh and it'll report that back to you so you don't have to go through them each individually uh it'll also do follow-up tests so um you know

if it thinks it finds SQL injection first thing it'll do is it'll test an apostrophe and if it gets an error that contains the word SQL for in instance it'll go this is probably a SQL injection let me try a different thing and it'll try two apostrophes next to each other and if it doesn't get the same err it goes oh okay this is probably a SQL injection so active scanner is really smart it does all that kind of stuff for you which is why I wanted to make it with that work with active scanner and not just Intruder and that kind of stuff uh it really automates stuff right but when we get to

graphql right uh I don't know I don't know what this means right um this is kind of what it would look like when you run a graphql query so we've got the query there and then after it it thinks that the query is is an input string and then after it it goes oh let me try to put my SQL injection here right but it doesn't make any sense from a graphql standpoint it should be where the where it says public true right it should be in the true in the input the true there is the input so that's where it should be putting its payloads so that's what we're going to teach you to do so we get into gently

coaching burp without being condescending this is what we're looking for these are our goals okay and spoiler alert this uh image is uh the completed realization of that goal so we want a burp extension because I like burp um we want to automatically find we want to take the schema and automatically find every possible requests we can make I don't want to go through each one I want to take the introspection query and I want to go make all the requests for me and send them to active scanner and then I want to tell active scanner where those injection points are uh burp calls them insertion points whatever there it's the same thing so if

you see so I think I may have accidentally interchanged them insertion points injection points same thing um so that's our goal we want to make an extension for burp that will search your int it'll make an introspection query pull down uh the result of the schema figure out every single possible request we can make uh find out all the injection points for all of those requests and send it to active scanner and tell active scanner to just like do its business and get back to us when it finds something um and just you know let me show you here I mean we'll we'll get back to this in demo time but uh on the right side you see this is actually good

me take the back um so this is what a query would look like right so we've got a a Json object and in the query property is the actual the value here is the actual graphql query right and it's a bit hard to see because you know the format is sort of funky so it's got all the white space characters built into it so you know' got slnt and then you got the system debug call which is one of the defined graphql things uh on this particular schema and then we've got an argument and the first argument is this uh you know the parameter that that was passed to it when we were testing was

this code star and burp goes oh that's between quotation marks because we've told it where our injection points are uh and that's where I'm going to put that's where I'm going to inject my payload and it's done that successfully and it's reported it as noos command injection hold for Applause uh okay so this is our plugin it's called Auto G Auto gql is what the that's what I'm calling it okay so uh you give it a URL you customize the headers if you need to maybe you want to test it while you're logged in so you give it the authorization headers or cookie headers whatever and you click go that was my goal give it a URL if you

need to customize the headers click go get a coffee come back write your report and that's exactly what it does so when you click go it'll run the for inspection query determine every possible request find the insertion injection points send them all to active scanner and then you save money and uh send me a coffee so let's do a demo um this is the part that I'm not uh sure how I'm going to do this I'm GNA have to drag the window over um Okay so uhuh uhuh uhuh okay so um in this uh this is it's got some previous findings from when I was testing this oh let me just show you also let me just show you what

this application looks like okay oh and you know what I've got I've got a little extra time so before demo time let me show you this this is pretty cool as well um so this is uh you may have seen this for some of you who so this is when you take a schema this awesome tool called graph Voyager uh visualizes it for you so this is what our schema on our vulnerable app looks like um so right now we're looking at queries so if I click here on queries it shows all the pre-built queries that I can make um so these are all going to get listed when we do the introspection query and it creates all the different

queries this is what we're going to get it's going to get this list all the different inputs all the types for those inputs um and uh let me go back to the I want to okay well anyways so it gives you this nice visualization so you can actually see everything that's going on in the system and there might be something in here like okay user objects I want to be able to get passwords so this would tell you your path to passwords so you'd have to do a query for users and one of the things you can ask for is password I can tell you in this application it doesn't actually send back the password it fills in the property with

some like asterisks but that would be something to try so this this anyways this seeing graph Q on this kind of view helps to find those kinds of things but the tool is going to do it for you so um oh yeah yeah but that's not even that's not even the application let me just show you quickly just the homepage of it you know you can just have a little bit of uh context this is our damn vulnerable graphql application um and it's just a past bin basically so we've got a list of public pastes which I think I may have run the delete query on uh private Pace yeah okay um so that's where we're work with this is the

imagine this is our Target application and imagine it because it is so um I'm going to Crane my neck here so uh we'll go into the extensions and I'm going to turn it on uh and oh these are also let me just take a little brief moment to talk about some of uh the people who've done the like the the shoulders the Giants upon whose shoulders I'm standing there's inl which will do introspection queries for you it'll find deny service Cycles um there's uh graphql Raider which will give you a nice little tab in the message editor window um so you can look at graphql in uh in a more uh readable format um but neither of them did what I

was trying to achieve which was just point and click so this is the autograph Q scanner so I'm going to turn this on and if if I made my sacrifice to the demo Gods we got autog gql so it's already okay so let me just for the demo I didn't have an input here I wanted everything to run smoothly so the input box isn't showing it would ask for a URL the input box for headers isn't showing as well um so I've got some hard-coded URL for this Local Host uh Dam vulnerable web app and uh so as soon as I turned it on it started the introspection query and then it populated this list and we can see we've

got all these different queries here uh so here's this query and here's this mutation um but also behind the scenes it has started in active scan so uh you see right now we've already made 10 requests let me just pop this open and if we look at audit items we can see that it's already begun scanning it's already on phase one of a few of them so um nothing yet I mean it's only it last time I ran this I think it took half an hour to find something which is actually pretty reasonable of time um and here you can see where it's trying to inject stuff let's see if we've got anything useful to show

uh okay not yet it's working on it it's going um but yeah suffice it to say if I left this running for a while you would see the injection points happening you would see the payloads going into the injection points it's also going pretty slowly right now um probably because I'm doing this live but this is what you would see right this this is the result this is you using the exact same tool just in the leadup to the talk um doing my testing and stuff I found all these different OS command injections there was a SQL injection down here I think I found yeah some crossy scripting potentially it's unsure about that it's but um yeah but this this so this a

command injection was it didn't it like you know it pipe it went um injected pipe NS lookup and in the response um it got some kind of a response related to NS lookup and then burp collaborators if you don't know it like burp collaborators spins up a server and then it injects the address to that server and then it'll tell you whether or not somebody pinged the server or Pung the server um and if it was successful it'll come back and tell you so we know that we found a successful code injection here uh and I'm running out of time so let me just go straight to uh let's go back to the slides um so

that was demo time pretty cool right you saw I just turned it on and it went uh where's my cursor here so uh these are the takeaways graphql is new and new stuff has is lacking in security because people are building it they don't understand they think graphql it's more I don't know I don't know why they would think that but they do it's more secure because it's new you know maybe it is secure in some ways but still in the old ways it's not you still have to in uh validate your inputs duh um so Burke backx of scanner uh automates vulnerability hunting um and our Auto gql thing extends it um to find all the

insertion points so to find all the requests possible requests and all the insertion points you can get it here it'll be on the next slide too if you don't get a picture um and the whole idea here is going to save you massive amounts of time uh and also you'll be at you know bragging rights when you break into that graphql U victim uh client client so um we got I think 2 minutes for Quest questions take a picture of this uh we're hiring I want to talk to you if you have got experience and um and I want you to use my tool and make issue requests and pull requests and all sorts of things

um questions okay I see three hands up we's start with you

yeah

yeah

right

yes

yeah yeah yeah so okay so the question is rest apis uh at each rest API you can do your authorization checks your validation but in graph K you've just got the one endpoint so how do you do that so um there's middleware for authentication and then there's resolvers uh which is a resolver is like your call back it's it's the function that so you have there's different Frameworks different jet graph Frameworks and they all work a little bit differently but essentially you have the opportunity you have the opportunity to look at what was queried and then AC upon that query so if somebody queries for users let's say um you can say before you do any of the logic you can

say is this person authorized to query for users or this user or these parameters um so it's uh you know I didn't get into too much I didn't get into code examples of how you would build it but if you go into the into the hello worlds and stuff it it's more simple I think than even I'm making it out to be but yeah it's there's places to put your functions to that kind of logic does that answer your question yeah you got to visualize it right yeah yeah

yeah yeah I think it it definitely is it takes a mental shift to think about how they do it um because you won't be doing the authorization checks at the end point um getting the cane so if you guys have any more questions uh come come ask me questions