GraphQL is designed to avoid the problem of over-fetching in RESTful API, that is a request’s response can contain way more data than the client really needs, making the response heavier than necessary, thus causing a waste on the network.
However, if customer’s GraphQL API design didn’t take into account OWASP API Top 10 considerations:
This old problem of over-fetching can re-appear and be leveraged by malicious hackers to cause excessive, abusive attack traffics.
Here is an example from an eCommerce customer:
du response*.json
680496 response_big.json
333649 response_small.json
The big JSON is generated by modifying the rows parameter in the request, boosting it up from its former small value of 8 to now 800:
"params": "st=product&item=2&unique_id=346301e1d664d5021ab8f52d10f2552c&image_size=200&src=search&user_warehouseId=12210375&start=0&with_template=true&warehouses=12210375%232h%2C0%2315m&srp_component_id=02.01.00.00&source=search&ep=product&rows=800&q=shawl&ob=23&related=true&user_id=234481605&page=1&device=android&user_cityId=176"
You may wonder, why isn’t the response_big.json 100 times bigger than response_small.json. Well, the above product search for “shawl” might have already exhausted all product entries, thus response_big.json might not grow further even if you further increase the value of rows.
The same API can also be abused in another fashion, by keep repeating the same product search query multiple times in the POST body of GraphQL API.
Below is one fragments of the GraphQL search for “Raspberry Pi” products in a vulnerable eCommerce store:
{
"query": "query SearchProduct($params: String!) { ace_search_product_v4(params: $params) { header { totalData totalDataText responseCode errorMessage additionalParams keywordProcess componentId meta { productListType isPostProcessing showButtonAtc } } data { isQuerySafe autocompleteApplink backendFilters backendFiltersToggle keywordIntention redirection { redirectApplink } ticker { text query typeId componentId trackingOption } banner { position text applink imageUrl componentId trackingOption } related { relatedKeyword position trackingOption otherRelated { keyword url applink componentId product { id name price imageUrl url applink priceStr wishlist ratingAverage componentId labelGroups { title position type url } shop { city } badges { imageUrl show } freeOngkir { isActive imgUrl } ads { id productClickUrl productWishlistUrl productViewUrl } } } } suggestion { suggestion query text componentId trackingOption } products { id name ads { id productClickUrl productWishlistUrl productViewUrl tag } shop { id name city url isOfficial isPowerBadge } freeOngkir { isActive imgUrl } imageUrl imageUrl300 imageUrl700 price priceInt priceRange categoryId categoryName categoryBreadcrumb ratingAverage priceInt originalPrice discountPercentage warehouseIdDefault boosterList source_engine minOrder url labelGroups { title position type url } labelGroupVariant { title type type_variant hex_color } badges { title imageUrl show } wishlist applink customVideoURL parentId isPortrait } violation { headerText descriptionText imageURL ctaURL buttonText buttonType } } } }",
"variables": {
"params": "st=product&item=2&unique_id=346301e1d664d5021ab8f52d10f2552c&image_size=200&src=search&user_warehouseId=12210375&start=0&with_template=true&warehouses=12210375%232h%2C0%2315m&srp_component_id=02.01.00.00&source=search&ep=product&rows=8&image_square=true&show_adult=false&q=raspberry+pi&ob=23&related=true&user_id=234481605&page=1&device=android"
},
},
Imagine the attacker would duplicate the same query 100 times inside the POST body of the request, and the resulting response will become 100 times bigger! Even if a single query might have exhausted all product entries concerning “raspberry pi”, 100 duplicated queries can still guarantee the response is 100-fold bigger than that of a single query. Such vulnerability, if known to malicious hackers, would be granting a useful weapon in the attacker’s arsenal.
It is imperative to ensure you are always in the know concerning what sort of traffic are hitting your API endpoints, and whether your API endpoints are being abused by tricks similar to what described above. Akamai’s API Security is an ideal radar screen and pre-warning system for ensuring your organization always have the upper hand in your API’s cyber defense.