When your organization is developing an API or application, you may not initially consider security. Historically, DevOps has done its job, and then security measures are implemented once development is complete. However, as attacks become more sophisticated and new types of APIs are built, it’s important to prioritize API security both during and after development.
GraphQL APIs have been around since 2015, and as their use increases, so do successful attacks. If you are considering building an API with GraphQL, be sure to account for the typical vulnerabilities as well as those unique to this type of API.
What Makes GraphQL APIs Different?
Depending on what you’re trying to accomplish, there are several different API types that might be right for the job. GraphQL APIs are typically used to increase data fetching precision within a response. Although developers must take care to implement it properly (which can sometimes be a bear), once the GraphQL API is set up, it allows developers to easily define their own queries and specify the data that they want to receive.
Before GraphQL, many developers relied on REST APIs, which are highly effective for communicating between a server and a web application. However, the disadvantage of these APIs was the enormous amount of data that could be transferred based on a single request. More data results in longer latencies, so GraphQL APIs were created to mitigate this issue.
Additionally, REST APIs do not always fetch enough information, depending on the query, so GraphQL APIs are built with correcting this in mind as well. As a more customizable format, the GraphQL API allows highly customizable requests and returns more succinct, relevant responses. While this could be done with REST APIs, GraphQL APIs offer a standardized format that ultimately makes things easier downstream.
The detail built into this type of API structure allows it to send unusually accurate and descriptive error messages, which can help both developers and users find the correct support and solutions. While not all would agree, many developers are inclined to replace REST completely with GraphQL because of the standardization and the increased precision.
Security Challenges of GraphQL
GraphQL APIs generally have the same security risks as any other API; however, there is one type of attack that is unique to GraphQL. This is called a batching attack. Because GraphQL APIs allow multiple queries or requests to be sent as part of a batch, a request that would normally be flagged as abnormally large would be acceptable within normal GraphQL parameters.
The allowance for large batches makes it more difficult to detect brute force-style activity. So, batching attacks are more likely to slip through security protocols, which sometimes makes it easier for attackers to access sensitive data without permission.
An additional risk is the potential for Denial of Service attacks by consuming too many resources with queries. Even a legitimate user or developer could cause an outage. By running batch queries, the user places an unusually large load upon the server, which could limit the access of other users. Although one of the goals of GraphQL APIs is to reduce the information load that occasionally creates problems in REST APIs, too much query batching can bring app communication speeds back to square one.
GraphQL Security Best Practices
To reduce your risk of both typical API attacks and those unique to GraphQL, follow these best practices:
- Strong authentication and authorization. Because it can be more difficult to distinguish between a legitimate large batch query and an illicit brute force attack, it’s imperative for GraphQL APIs to have strong authentication protocols in place.
- The API needs to be able to stop unauthorized users from contacting stored data, which means tools like multi-factor authentication and access controls are essential.
- Strong passwords are a non-negotiable component of a good security strategy. They should be long, complex, and periodically updated.
- Rate limiting. Batching attacks, like any other type of brute force attack, rely on the ability to make the same request repeatedly. If your API limits the number of times a request can be made and processed within a certain timeframe, you vastly decrease your risk of attacks like batching and credential stuffing.
- Input validation. Injection attacks occur when an attacker is able to use forms, input fields, or other interactive components of your app or API to add code that is interpreted as a command. Given that the GraphQL API is set up to retrieve specific and detailed information, an injection attack on this type of API could result in a major data security incident.
- WAF/WAAP. Implementing security tools to keep attackers away from your API entirely should be part of your strategy.
- Web Application and API Protection (WAAP) tools can help by monitoring your security environment, flagging and blocking unusual activity, enforcing access controls, and other important functions.
- An effective WAAP may also provide data discovery and classification, ensuring that you know where all your data is stored and how it is accessed and used.
- When you choose a WAAP solution, look for one that works in multiple environments, including legacy hardware, cloud infrastructure, and any other endpoint.
Although keeping APIs secure can be challenging, it must be a priority given the amount of users, data, and applications that APIs contact. A compromised API can lead to serious consequences to your customers’ and your own data security. However, by following API security best practices and accounting for the unique vulnerabilities of GraphQL APIs, you can mitigate vulnerabilities and reduce your risk of a completed attack.