Issue 82: Most common GraphQL vulnerabilities, pentesting with Insomnia

May 7, 2020

This week, we check out GraphQL security, penetration testing with Insomnia and Burp, cheat sheets for OAuth2 and JWT, and what consequences the growth of API economy is posing for cyber security.

Opinion: The 5 most common vulnerabilities in GraphQL

Although the adoption of GraphQL is still fairly limited, it is undeniably on the rise. GraphQL is different from the traditional REST APIs: it is effectively a data query and manipulation language for APIs. When not done right, GraphQL APIs can vastly expand the surface area for data attacks and lead to excessive data exposure.

Carve Systems have published a blog post that summarizes the security issues that they see in GraphQL implementations. According to them, the most common GraphQL security vulnerabilities:

  1. Inconsistent authorization checks
  2. REST proxies allow attacks on underlying APIs
  3. Missing validation of custom scalars
  4. No appropriate rate limiting
  5. Introspection reveals non-public information

They have also provided a link to the sample API they used for the blog post for a more hands-on experience. If you work with or are interested in GraphiQL, definitely worth  checking out.

Cheat sheets: OAuth 2.0 and JWT security

Every now and then, Philippe De Ryck releases great cheat sheets on cybersecurity. His two latest are highly relevant to API security:

  • OAuth 2.0 best practices for developers
  • JSON Web Tokens (JWT)

Grab them at his site here, and keep him on your radar for further handy resources.

Tools: REST API pentesting with Insomnia and Burp

Mic Whitehorn-Gillam posted an article on how to use Insomnia and Burp together for REST API penetration testing. He covers, for example:

  • Getting and installing Insomnia
  • Using Insomnia to post REST requests
  • Proxying Insomnia through Burp
  • Chaining requests

This  is a sequel to his series on Postman and Burp that we covered in our issue 34.

Analysts: Alexei Balanagski (KuppingerCole)

The latest KuppingerCole podcast episode features Alexei Balaganski explaining the cyber security consequences of API proliferation, and what needs to be done about it.

His topics include things like:

  • Proliferation of APIs
  • Examples of breaches
  • Why API security is different from web security and API management, and thus needs specialized solutions
  • How API security needs to span everything from design, development, testing, runtime protection, and monitoring

 

Get API Security news directly in your Inbox.

By clicking Subscribe you agree to our Data Policy

XML Feed

Newsletter Archive

Browse the full archive