Offensive security tool speeds up the process of exposing hard-to-find security flaws
InQL, a new open source tool released by Doyensec, aims to help speed up the process of finding security flaws in applications that use GraphQL.
GraphQL is a language initially developed at Facebook to run queries against servers. Its declarative format makes it more versatile than traditional REST APIs and has contributed to its rise in popularity in recent years.
However, the simplicity of GraphQL does come with some caveats. “Since GraphQL is a more declarative language, with respect to normal APIs, it’s usually more difficult to detect vulnerabilities with standard code inspection,” Doyensec researcher Andrea Brancaleoni told The Daily Swig.
“GraphQL addresses some of the traditional web vulnerabilities but it doesn’t protect by default against access control flaws, insecure direct object reference (IDOR) vulnerabilities and information leakage.”
For instance, a common mistake developers make is to create user models containing confidential fields such as password reset tokens that are not redacted and are leaked in query results.
Finding such bugs requires invoking all application queries and mutations, which is often difficult to achieve.
Time for introspection
Developed by Doyensec, InQL is available as a standalone application or an extension for Burp Suite
The tool’s ‘introspection’ feature allows applications to ask a GraphQL endpoint for the queries it supports. This makes it possible to extract all the available fields and ensure coverage during testing. (Incidentally, InQL gets its name from Introspection and GraphQL.)
InQL then creates a structured schema of the GraphQL endpoint and generates query templates that can be combined with other security tools to speed up the process of exposing vulnerabilities.
“As with all new tech stacks, it is important to understand the limitations of the framework in order to build secure and reliable applications,” Brancaleoni says.
“Our considerable experience with auditing major GraphQL-based platforms suggests that developers are generally aware of such limitations and that those types of vulnerabilities are usually exceptions.”
He added: “On the other hand, we expect vulnerabilities and attacks against GraphQL to improve over time since this is a new field of research.”
Burp Suite integration
There are several open source tools that address different aspect of GraphQL security.
GraphQLmap is a penetration testing scripting engine that interacts with GraphQL endpoints and performs tasks such as schema dumping and SQL injection.
In addition, graphqlschema2payload is a reverse engineering tool that can explore GraphQL schemas and create tests for QA and pen testing.
“With InQL, we have tried to consolidate all these functionalities to allow rapid web testing within Burp Suite,” Brancaleoni says.
“Security testers shouldn’t think about session management and other issues, but rather focus on the actual testing effort.”
InQL’s integration with Burp also enables the tool to take advantage of the security software’s built-in functionalities.
“For instance, the ability to send query templates to Burp’s Repeater after the introspection allows pen testers to work in the same way they would normally do with Rest API testing,” Brancaleoni says.
Future developments
Before releasing it to the public, Doyensec used InQL internally for over 10 months and performed multiple iterations on the design and implementation based on feedback from in-house researchers
The researchers expect, however, that the tool’s public release will highlight some of its current limitations and bugs.
“During the upcoming weeks, we will focus on fixing such issues and improving reliability,” Brancaleoni said.
“In the medium to long term, we plan to integrate authorization and IDOR checks to facilitate testing. Finally, we believe that the InQL approach can be successfully employed for other API definition languages such as GRPC or Apache Thrift.”
He added: “In the future, we might consider extending the tool to such frameworks.”
YOU MIGHT ALSO LIKE Latest web hacking tools – Q1 2020
