In the field of penetration testing, keeping up-to-date with the latest vulnerabilities is paramount. One such frontier is GraphQL APIs, which have become commonplace in modern websites and present an array of potential security pitfalls.
Burp Scanner, with its newly added GraphQL checks, can automatically detect and report a variety of GraphQL vulnerabilities during your penetration tests. These capabilities are available in the most recent version of Burp Suite Professional.
Here’s a brief overview of the scan checks for GraphQL included in Burp Suite:
- Locating Known Endpoints: Manually scouring a website to locate the GraphQL endpoint can be a cumbersome task. To simplify this process, Burp Scanner conducts both active and passive scan checks to automatically identify known endpoints. This enables you to channel your efforts towards vulnerability detection.
- Discovering Hidden Endpoints: In some cases, a GraphQL endpoint might be deployed unintentionally, and such endpoints could be missed as they may not be actively used on the site. Burp Suite can detect these hidden GraphQL deployments by looking for common endpoints. Unintentional deployments often harbor vulnerabilities, making them a valuable discovery for a penetration tester.
- Identifying Introspection: Introspection permits a query to be run on the schema to see which queries it supports. While not a vulnerability per se, it can be an invaluable tool for a tester. Introspection is typically deactivated in production to prevent exposing the API’s inner workings. Burp can detect if introspection is enabled, which can aid in testing the site and act as a reminder for developers to disable it in production.
- Detecting Suggestions: Some GraphQL servers, such as Apollo, provide suggestions to help construct a valid query when an invalid one is made. Even with introspection disabled, a tester can use this to uncover the underlying schema by using a word dictionary and the suggestion response. Burp helps identify endpoints where suggestions are enabled.
- Checking Content Type Validation: Typically, GraphQL endpoints use a POST method with an application/json content type. If a site does not validate the content type correctly and lacks a CSRF token, the GraphQL endpoint may be vulnerable to request forgery. Burp will flag if the endpoint request can be forged using a GET request or an application/x-www-form-urlencoded POST request.
To delve deeper into GraphQL, including understanding its workings, discovery and exploitation techniques, and how GraphQL vulnerabilities can lead to information disclosure and CSRF, explore the Web Security Academy. They offer extensive learning materials and interactive labs for practical skills enhancement.
Source: PortSwigger
