large_Best-New-DevOps-Tool.png

medium_Best-New-DevOps-Tool.png

small_Best-New-DevOps-Tool.png

thumbnail_Best-New-DevOps-Tool.png

Best-New-DevOps-Tool.png

We’re proud to announce that Inigo has been named one of the very few DevOps Dozen finalists in the Best New DevOps Tools category.

We’re proud to announce that Inigo has been named one of the very few [DevOps Dozen finalists](https://devopsdozen.com/) in the _Best New DevOps Tools_ category. The awards hone in on the “best, brightest, and most impactful” DevOps and developer tools from the past year across several categories.

As always, the DevOps Dozen are put together by the Techstrong Group, the company behind some of the best developer-centric cloud native and security publications—including DevOps.com, Container Journal, and Security Boulevard.

Here’s what DevOps Dozen had to say about our platform:

>“Inigo is a new GraphQL API management platform for DevOps/DevSecOps teams that offers a unique one-stop-shop for GraphQL API security, analytics, and developer productivity at scale. Inigo enables developers to avoid resource-heavy in-house tools that are costly to maintain and prone to errors. Inigo offers the absolute best developer experience around GraphQL APIs, so developer teams can scale with confidence and efficiency.”

We’re excited to be named a finalist in this newcomer category alongside some great new tools. If you’d like to throw your vote to Inigo as the category winner, [you can do that right here](https://www.surveymonkey.com/r/DevOpsDozenAwards2022)!



Inigo Named One of the Best New DevOps Tools by the Techstrong Group

large_Operation Name Security.png

medium_Operation Name Security.png

small_Operation Name Security.png

thumbnail_Operation Name Security.png

Operation Name Security.png

Experimenting with Operation Name characters. Despite the specification describing what characters should and should not be interpreted, there are deviations from the norm. This is why it is important to know your implementation well.

Operation Names in GraphQL are an optional string a client can specify to describe the operation, also called Named Operation ([Section 5.2.1](https://spec.graphql.org/October2021/#sec-Named-Operation-Definitions)) of the GraphQL specification.

The specification outlines the following rules as they relate to Operation Names:

- For each operation definition operation in the document.
- Let operationName be the name of operation.
- If operationName exists
-- Let operations be all operation definitions in the document named operationName.
-- operations must be a set of one.

This means that a document with more than one query or mutation must include operation names for each, and they must be uniquely named.

For example, the following document is valid:
```
query First {
 pastes {
 content 
 }
}

query Second {
 pastes {
 content 
 }
}
```
And this document is invalid because two queries use the same operation name, violating the uniqueness requirement:
```
query First {
 pastes {
 content 
 }
}

query First {
 pastes {
 content 
 }
}
```
This document is also invalid because only one query has a defined operation name in the document:
```
query First {
 pastes {
 content 
 }
}

query {
 pastes {
 content 
 }
}
```
When a request is sent to a GraphQL API with more than one operation, a client would need to specify the operationName JSON key with the specific named operation of interest to run it:
```
{
 "query":"query First { pastes { content } } query Second { pastes { content } }", 
 "operationName":"First", 
 "variables":[]
}
```
If the operationName JSON key is not defined but the query document contains two named operations, the GraphQL server may respond with the following:
```
{
 "errors": [
 {
 "message": "Must provide operation name if query contains multiple operations.",
 "extensions": {
 "code": "INTERNAL_SERVER_ERROR"
 }
 }
 ]
}
```
So, operation names are optional if a document contains one operation, but once it contains more than one, operation names are required and must be unique (i.e. not repeated).

Applications may log the operation names used by client queries for analytics and debugging. They are used by analytic tools to determine, for example, performant and non-performant queries and often are used instead of logging the entire query payload.
 
Have you ever asked yourself: what characters can be used in a named operation? Let’s see what is accepted versus not accepted with some Python-fu.

![Operation Name Structure.png](/uploads/Operation_Name_Structure_9345f3fdee.png)

## Experimenting with Operation Name Characters

For the purpose of this test, we used Sangria, Apollo, graphql-ruby, Graphene and HyperGraphQL as the targeted GraphQL servers a mix of seasoned and newer implementations, and used the following script to test various combination of operation name characters, while removing [ignored tokens](https://spec.graphql.org/October2021/#sec-Language.Source-Text.Ignored-Tokens) such as hashes (#) commas (,) and whitespace. 
```
import string
import time
import random
import requests

def randomize(N):
 random_int = random.randint(1, 7)
 strings = {1: string.ascii_lowercase + string.digits,
 2: string.ascii_lowercase + random.choice(string.punctuation),
 3: string.digits + random.choice(string.punctuation),
 4: string.punctuation,
 5: string.ascii_lowercase,
 6: string.digits,
 7: string.printable}

 chosen = strings[random_int]
 chosen = chosen.replace(' ', '')
 chosen = chosen.replace('#', '')
 chosen = chosen.replace(',','')
 chosen = random.sample(chosen, len(chosen))


 return ''.join(random.choice(chosen) for _ in range(N))


while True:
 opName = randomize(5)
 query = """
 query {0} {{
 __typename
 }}""".format(opName)


 r = requests.post('http://test.inigo.local', json={"query":query})

 if r.ok:
 print(f'Accepted: {opName}')
 else:
 print(f'Not accepted: {opName}')
```

Running the code produces the following results:
```
Accepted: k4qcb
Accepted: lzort
Not accepted: ]}VKV
Not accepted: 69071
Not accepted: \|&!~
Accepted: fclue
Not accepted: 2kxq6
Not accepted: $&${}
Accepted: _5157
Not accepted: +_'!)
Accepted: ztb0v
```
## Tests Breakdown

![Experimenting with Operation Names.png](/uploads/Experimenting_with_Operation_Names_bea8ce6a46.png)

Symbols such as greater than (>) or less than (<) typically used in Cross-Site Scripting payloads aren’t allowed, neither single-quotes or double quotes, equal sign, and others in most cases. One anomaly was **HyperGraphQL**, a Java-based GraphQL server, which allowed characters such as: `+><;^%~+ as operation name.

![Operation Name HyperGraphQL.png](/uploads/Operation_Name_Hyper_Graph_QL_7cd392d24d.png)


This was an interesting experiment. Despite the specification describing what characters should and should not be interpreted, there are deviations from the norm. This is why it is important to know your implementation well.

With Inigo, you can define strict rules on what operation names (as well as other components of the document) to accept from clients, so no matter what GraphQL servers you use, your policy is strict across all of them.
```
kind: Security
name: demo
label: starwars
spec:
 validation:
 alias_name: "^[a-zA-Z]+$"
 directive_name: "^[a-zA-Z]+$"
 operation_name: "^[a-zA-Z]+$"
 arguments:
 String: "^[a-zA-Z]+$"
```
Inigo can help you enforce the use of operation names across all your queries, in addition to applying a strict security policy so that operation names are limited to a safer subset of characters. Reach out to us for more information on how we can enforce security policies across all your GraphQL fleet

Operation Name Security in GraphQL

large_Array-based Query Batching.png

medium_Array-based Query Batching.png

small_Array-based Query Batching.png

thumbnail_Array-based Query Batching.png

Array-based Query Batching.png

Watch out from array batching. It is possible to batch queries together by adding them to an array and sending them to a GraphQL server. This option is not available in all implementations and also isn’t specifically mentioned in the GraphQL specification.

In the [previous post](https://inigo.io/blog/defeating_controls_with_alias-based_query_batching), we discussed the way threat actors can optimize attacks to defeat authentication controls using query batching based on GraphQL aliases.

Aliases are great because they are part of the [GraphQL specification](https://spec.graphql.org/October2021/#sec-Field-Alias) as shown in section 2.5. So, when you run into a GraphQL API, you should expect to have aliases available at your fingertips.

Aliases have one disadvantage - they can only be applied to either queries, or mutations, but not both at the same time in a single HTTP request. Another approach to query batching is by using arrays.

It is possible to batch queries together by adding them to an array and sending them to a GraphQL server. This option is not available in all implementations and also isn’t specifically mentioned in the GraphQL specification. 

It is quite easy to test whether a GraphQL API support arrays, here is how you can do this in Python using the requests library:
```
import requests

queries = [
  {"query":"query { __typename }"},
  {"query":"query { __typename }"}
]

requests.post('http://localhost:5013/graphql', json=queries)
```
If you prefer cURL, you can test whether the GraphQL server supports arrays like so:
```
curl -X POST http://example.inigo.local/graphql -H "Content-Type: application/json" -d '[{"query":"query { __typename }"}, {"query":"query { __typename }"}]' 
```
The response that comes back to queries sent in an array would include multiple data keys, each containing a separate response:
```
[
   {"data":{"__typename":"Query"}},
   {"data":{"__typename":"Query"}}
]
```
When GraphQL servers see an array (and when they support them), they will process each query one after another in sequence, and return a response once all of them are resolved. Here is how the [Graphene-django implementation handles arrays](https://github.com/graphql-python/graphene-django/blob/master/graphene_django/views.py#L168-L179). 

![Array GraphQL.png](/uploads/Array_Graph_QL_ea12888890.png)

The advantage of arrays is that you can mix queries and mutations together, like so:
```
import requests

queries = [
  {"query":"query { __typename }"},
  {"query":"mutation { createUser(user:”user1”) { id } }}"}
]

requests.post('http://example.inigo.local/graphql', json=queries)
```
So, if you have an API flow that requires sending a mix of queries and mutations together to get to some desired state, arrays make it easier.  Aliases on the other hand can only be used to batch queries of the same root type. 

Arrays have one major disadvantage - they aren’t available everywhere. We recommend reading the documentation of the GraphQL implementation in use in your production environment to learn if arrays are supported (or simply try a query against it to figure it out) and whether they can be disabled. 

Whether you are using a popular GraphQL server or you’ve built your own, using Inigo’s GraphQL Security and Management platform works independently and is completely server-agnostic, which protects any GraphQL APIs and helps introduce security controls no matter what GraphQL server you use.


Defeating Controls with Array-based Query Batching

home

home_1_developers

Get the most out of GraphQL with Inigo's **one-stop-shop** platform for complete GraphQL protection and adoption.

# DEVELOPERS, IT'S TIME TO **SUPERCHARGE** YOUR GRAPHQL

home_news

## In the News

home_2_complete

We take GraphQL to the next level. Inigo is a dynamic plug-and-play platform that works with any GraphQL server. With schema-based access control, granular analytics, dynamic rate-limiting, an intuitive interface, and plenty more, Inigo is everything you need to speed up your API adoption.

## Your Complete GraphQL Security and Management Platform

home_3_boost

Standard API gateways are blind to GraphQL attack surfaces. Without purpose-built protection for GraphQL, API calls can be easily bypassed. This lack of sophisticated tooling has led to high-profile DoS attacks and data leaks.

## Boost GraphQL Protection to Ensure Compliance

home_4_understand_graphql

Standard monitoring tools overlook GraphQL query insights, and valuable BI is often lost. Gain a unique and in-depth understanding of GraphQL usage—at any scale—through granular insights into the field level, query paths, and server health.

## Understand GraphQL Patterns to Improve Application Performance

home_5_streamline_graphql

Avoid resource-heavy in-house tools that are costly to maintain and prone to errors. Inigo offers the absolute best developer experience around GraphQL, so you can scale with confidence and efficiency.

Platform

Developers

About

Blog

Login

DEVELOPERS, IT'S TIME TO SUPERCHARGE YOUR GRAPHQL

In the News

Your Complete GraphQL Security and Management Platform

Boost GraphQL Protection to Ensure Compliance

Understand GraphQL Patterns to Improve Application Performance

Streamline Your GraphQL for a Better Developer Experience

Everybody wins

From Our Blog

Inigo Named One of the Best New DevOps Tools by the Techstrong Group

Operation Name Security in GraphQL

Defeating Controls with Array-based Query Batching

Inigo

GQL Platform

Developers

Resources