How secure is your GraphQL server?

Shahar Binyamin·

Like any new technology, security awareness is often lagging behind adoption. For this reason, GraphQL attack surfaces are bound to unfold for many of its users. These attacks range from Parser Attacks and Resolver Attacks to Data Manipulation and even Data Leaks.

GraphQL attack surfaces are quite unique. An attacker can target one or more surfaces with one API call that would easily pass through any standard API gateway. Here we’ll discuss the implications of an unsecured GraphQL server and who could be at risk, so keep reading to learn more.

GraphQL Security Awareness

To get a better understanding of GraphQL security awareness amongst users, we decided to conduct a short survey. Our Reddit GraphQL survey titled ”How Do You Think About GraphQL Security?” had an interesting but not surprising spread of replies.

GraphQL Security Awareness Survey.png

During one-on-one interviews, participants who were already aware of GraphQL’s attack surfaces reported that this knowledge came from a negative experience: their own servers had been compromised.

Who is Impacted

Most of us.

While GraphQL builds are available in any programming language you could ask for, they are not all built the same nor do they have the same supportive community size or security awareness. Just this week, a circular-fragment attack was demonstrated to crash Aago’s Ruby-Server implementation on GitHub and was reported as CVE.

Nick Aleks and Dolev Farhi did a fantastic job detecting and documenting vulnerabilities across multiple GraphQL:

GraphQL servers implementation.png

(Source: GitHub)

Large resource-heavy engineering teams usually end up developing in-house tooling and building blocks to customize and tighten their GraphQL deployments. This approach is not always easy to maintain and is often prone to errors. HackerOne is another excellent source that further explains how GraphQL attacks impacted different companies.

So, how secure is your GraphQL server? Unfortunately, it’s not so much a question of if a GraphQL attack will happen to you, but when.

What’s Next

Ready to defend against GraphQL server attacks? Inigo can help! Schedule a demo now.

Inigo offers a platform-agnostic approach to remove barriers and open possibilities for any open-source or commercial GraphQL server.

Be sure to subscribe to our newsletter to get notified of our next posts, where we dive deeper into GraphQL-specific attacks.

Get started with Inigo
Join our newsletter