News, news analysis, and commentary on the latest trends in cybersecurity technology.

Emerging Security Tools Tackle GraphQL Security

New security tools are proactively protecting APIs built with GraphQL, before attacks against them become more commonplace.

Fahmida Y. Rashid, Managing Editor, Features

November 12, 2021

3 Min Read

One good thing about GraphQL is that the query language makes it easy to interact with structured data and perform multiple actions with a single API call. However, that same flexibility makes APIs built using GraphQL more difficult to secure, potentially exposing more data than intended.

Salt Security recently updated its Salt Security API Protection Platform to offer more robust tooling for securing GraphQL APIs. The tools rely on artificial intelligence and machine learning to generate a baseline of normal API behavior and identifying malicious efforts when the actors are probing the APIs as part of their reconnaissance activities. The company’s goal is to proactively provide developers with tools for securing these APIs before the attacks become more commonplace.

GraphQL is an open source data query language that is gaining traction among many developers as a declarative alternative to REST APIs for fetching data. Originally developed by Facebook and open sourced in 2015, GraphQL enables clients to specify exactly what data it needs from an API and underlying services without writing parsing code. GraphQL is organized in terms of types and fields rather than traditional endpoints.

Developers like GraphQL because it is very efficient to exchange information, but its call and response format introduces new risks, says Elad Koren, chief product officer of Salt Security. GraphQL APIs can include many nested requests inside a single API call, which adds to its complexity.

“The biggest advantage is the ability to request exactly what is needed — not more, not less,” Koren says. “But that is also a significant vulnerability, since the data is not limited by structure, and it relies on the API to be properly constructed.”

Something that would be a minor permissions and authorization issue in the REST API limited to subset of endpoints could wind up creating a significant attack surface in GraphQL, Koren says.

GraphQL developers will be able to use Salt Security’s platform to discover APIs and where they expose sensitive data, mitigate data exposure, stop attacks, and eliminate vulnerabilities, the company says. The platform parses the complex structure of the GraphQL queries to identity unique object entities, and builds a complete inventory of GraphQL APIs. This information is used to analyze how each user and API behaves in the day-to-day use of all the APIs to generate a baseline of normal behavior. This way, the platform can identify malicious actors as they probe and interact with the API during the reconnaissance phase of the attack.

It’s worth noting that attacks targeting weaknesses in GraphQL APIs are relatively rare in the developer world, but that may change as the query language grows in popularity. Standard forms of REST APIs are currently the most targeted only because they're so much more prevalent, Koren says.

Malicious actors have already begun developing attack techniques targeting GraphQL capabilities such as nested queries and query batching — a form of brute-force attacks — to run denial-of-service attacks, Koren says. The attackers can launch a DoS by using nested queries that increase the load on the API.

Attackers have taken advantage of the complex access control structure in GraphQL to uncover and exploit critical vulnerabilities, Koren says. It would also be possible to use authorization information to propagate a BOLA (broken object level authorization) or BFLA (broken function level authorization) attack.

Underscoring the growing awareness that APIs need to be protected, Data Theorem recently launched its Active Protection suite, which protects the client layer (mobile and Web), the network layer (REST and GraphQL APIs), and the underlying cloud infrastructure.

A 2020 RapidAPI survey found that GraphQL is used by 22.5% of API developers. The number of developers using GraphQL doubled between 2019 and 2020, and the pace of adoption is expected to accelerate even more.

About the Author

Fahmida Y. Rashid

Managing Editor, Features, Dark Reading

As Dark Reading’s managing editor for features, Fahmida Y Rashid focuses on stories that provide security professionals with the information they need to do their jobs. She has spent over a decade analyzing news events and demystifying security technology for IT professionals and business managers. Prior to specializing in information security, Fahmida wrote about enterprise IT, especially networking, open source, and core internet infrastructure. Before becoming a journalist, she spent over 10 years as an IT professional -- and has experience as a network administrator, software developer, management consultant, and product manager. Her work has appeared in various business and test trade publications, including VentureBeat, CSO Online, InfoWorld, eWEEK, CRN, PC Magazine, and Tom’s Guide.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights