It has never been easier to make a GraphQL server. But ensuring your server is secure is another thing entirely. GraphQL is a flexible technology. This flexibility is beneficial to architects who are designing a new GraphQL API, and frontend engineers building new experiences. Attackers also love this flexibility. It gives them new avenues for finding data incorrectly protected by authorization. It gives them the ability to scrape your entire site from a self-introspecting endpoint. They could even just write massive queries to take down a server entirely.

Below, we will walk through the 5 problems that your GraphQL server…

Learn about how attackers can scrape your site, or execute denial-of-service attacks, using your publicly-available GraphQL interface. They can do this in one of four ways: by carefully constructing a single large query to execute it, by writing lots of parallel queries that can fetch related data, by using batched requests to issue lots of queries back-to-back, and finally by sending lots of requests.

How the attack works

Scrapers are a fact of the web. They do everything possible to pull information from your site for their own purposes. Heck, scrapers aren’t even necessarily bad. After all, the GoogleBot that indexes sites for Google…

Learn about a denial-of-service queries that attackers can use to overwhelm unprotected GraphQL servers.

How the attack works

Let’s say that an attacker is trying to overwhelm Github’s API to take it down. They don’t have a reason for doing this. They just want to.

They examine Github’s GraphiQL instance and they notice something interesting: Users and repositories recursively refer to each other. This means that for any users, you can get their repositories. For any repositories, you can get its contributors as Users. This means that attackers can create queries that recurse as deep as they want!

The pseudocode for the query would…

Jacob Voytko

Runnin’ my own business. Previously staff engineer @ Etsy, before that I worked on Google Docs

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store