GraphQL, the open source query language for application programming interfaces (APIs), is very powerful. With great power comes great responsibility, as Spider-Man reminds us, and sometimes developers go badly wrong. And, that’s exactly what happened, according to Salt Security, a leading API security company, when their researchers found a GraphQL API authorization vulnerability in a B2B financial technology (FinTech) platform.
Salt Labs, Salt Security’s research branch, found the security holes while investigating the FinTech company’s mobile applications and Software-as-a-Service (SaaS) platform. The root of the problem lay in authorization-level flaws. Such errors are endemic with GraphQL nested queries, Salt Labs found that the failure to implement authorization checks correctly meant the researchers could submit unauthorized transactions against any customer account and harvest any customer’s sensitive data.
“GraphQL provides some advantages in query options compared to REST APIs. With this flexibility, however, comes risk, since a single API call can include multiple separate queries,” said Roey Eliyahu, Salt Security’s co-founder and CEO. “As GraphQL gains traction, our goal is to provide users with the intelligence, capabilities, and support to develop more secure API environments.”
All too Easy
With GraphQL, it’s all too easy to leave such security holes in your GraphQL code. That’s because, as Khalil Stemmler, a developer advocate at the GraphQL developer company, Apollo, has pointed out, “GraphQL gives clients the ability to ask for data in a variety of different ways. Because of the various entry-points available to request data, it’s possible to write exceptionally large nested queries.”
He’s not kidding. It is all too possible to write GraphQL queries that, while perfectly legitimate, can crash your server or eat up far more of your cloud resources than your budget can handle.
Set an API Security Strategy
In addition, according to the Salt Security State of API Security Report, Q3 2021, 62% of organizations have no or just a basic API security strategy in place. There is no excuse for this. As the OWASP GraphQL Cheat Sheet points out, if you don’t protect your APIs from such simple attacks as not validating or sanitizing your API queries, you can end up in a world of hurt. Can you say, for example, SQL Injection? I knew you could.
As Brian Schwarz, Fortinet‘s director of application security products, recently observed, organizations “may have multiple development teams with their own approach and level of scrutiny. This decentralized approach makes it difficult to maintain a consistent security posture across the API attack surface.”
Indeed it is, and this protection weakness is particularly worrisome since cyberattacks targeting APIs are on the rise alongside the adoption of relatively new technologies such as GraphQL, which has doubled from 2020 to 2021.
In this particular case, Salt Labs uncovered a GraphQL authorization flaw that could have been used to manipulate API calls to exfiltrate sensitive user data and initiate unauthorized transactions. This is not what you want from your FinTech applications.
Adding insult to injury, the platform also had API calls, which accessed an API endpoint that required no authentication. In other words, anyone can enter a transaction identifier and look up past financial transactions. Put both flaws together, and an attacker could steal vital user information, and, oh yes, transfer funds out of customers’ accounts without their knowledge. This is a critical failure if ever there was one.
“Without dedicated API security tooling in place, organizations with API-based applications and platforms are opening the door to serious risks. The prevailing assumption in the industry around GraphQL is that these APIs are uncommon, obscure targets of attack and therefore safer,” said Michael Isbitski, Salt Security’s Technical Evangelist.
Security as an Afterthought
Really, can anyone be that stupid today? Oh yeah, that’s right for many programmers, security comes as an afterthought.
Isbitsku continued “Security through obscurity has always been a poor strategy, and the complexity of GraphQL APIs makes securing them more challenging. The Salt Labs research demonstrates that missteps in GraphQL APIs are leading to vulnerabilities and new attack vectors that leave organizations at risk.”
It would be great if API gateways and web application firewalls (WAFs) were enough. They aren’t. As Curtis Simpson, a CISO at Armis Security, said, “Tools like WAFs and API gateways don’t have any context for what’s happening across APIs and, in turn, cannot effectively detect or protect against exploitation. Salt pulls together all the activity of all users, so it can find and stop attackers in their tracks.”
Purpose-Built Security Tool
Thus, Salt Labs suggests that its newly updated Salt Security API Protection Platform is what you need. This is a purpose-built API security tool to protect GraphQL APIs across their entire life cycle. With it, you can discover APIs, mitigate data exposure, stop attacks, and eliminate vulnerabilities at their source.
This works by applying its API Context Engine (ACE) architecture. This uses an AI/ ML-based Big Data engine, to parse each GraphQL query to identify unique object entities, deliver a complete inventory of GraphQL APIs, and a baseline for identifying and stopping attacks. It also integrates with popular API DevOps tools, such as Apigee, Mulesoft, and Kong to streamline remediation.
You can check Salt Security’s offerings out to see if they will meet your demands. Considering how much trouble you can get in if you get your GraphQL APIs wrong, I urge you to look at these.
The New Stack is a wholly owned subsidiary of Insight Partners, an investor in the following companies mentioned in this article: Armis.