How to Make GraphQL Security Easier with StackHawk

Rate this content

With StackHawk, engineering teams can run security tests against GraphQL APIs to find and fix vulnerabilities before they hit production. With automated testing on every PR, you can be confident that your app is secure. Join StackHawk co-founder and Chief Security Officer Scott Gerlach for a quick overview of GraphQL security testing with StackHawk.

9 min
10 Dec, 2021

AI Generated Video Summary

StackHawk is a dynamic application security testing tool that integrates with CI/CD workflows and helps developers quickly understand and fix security issues. It can be used to test running HTTP applications and API endpoints for security bugs, and provides simple descriptions and examples of security issues. The talk demonstrates testing a blog service with StackHawk, which identified critical security vulnerabilities like SQL injection and remote OS command injection. StackHawk allows developers to easily investigate and fix these issues by providing well-formatted requests and allowing for easy replay in the application.

1. Introduction to StackHawk

Short description:

StackHawk is a dynamic application security testing tool that can be used to test running HTTP applications and API endpoints for security bugs. It runs active security tests against applications to ensure safe handling of user input and output and implementation of OWASP Top 10 best practices. StackHawk integrates with CI/CD workflows and provides simple descriptions and examples of security issues to help developers quickly understand and fix them. It can be integrated into CI processes and provides feedback on scan findings. StackHawk is compatible with major CI platforms and can be run using Docker containers.

What's up GraphQL Galaxy? It's your boy, Scott Gerlach, CSO and co-founder of StackHawk. That seemed weird, I shouldn't have done that. I'm too old for that. Thanks for taking time to check out StackHawk. I hope you're having a great conference at GraphQL Galaxy learning a ton.

Today I wanted to talk to you a little bit about StackHawk. Quickly, StackHawk is a dynamic application security testing tool. You can use it to test your running HTTP applications and API endpoints for security bugs and keep them from becoming vulnerable. You can use StackHawk to run active security tests on your running REST API, GraphQL API, SOAP API, oversight application and single-page applications. StackHawk was built for automation in CI CD to be part of your robust testing strategy for your application development life cycle. It also makes finding, understanding and fixing security bugs easy.

How does StackHawk work you ask? Great question. StackHawk runs active security tests against your running applications to ensure that your application is handling user input and output in a safe manner, as well as implementing OWASP Top 10 best practices for application security. We can do this against your running applications on your local host, in CI CD workflows and against applications that have yet to be published on the Internet. We also made dynamic testing fast. By placing the scanner as close to the application as possible, and by using open standards to inform the scanner, open API spec, graph QL, introspection queries, SOAP WSDL in addition to the scanner tuning we've made, most StackHawk customer applications scan average around or under 10 minutes.

Finding and fixing security issues is simple with StackHawk. Our focus as a company is to help developers find and most importantly fix security issues. The StackHawk scanner and platform are built around the simplicity model. The scanner is configured via YAML that lives with the code for the application that you're testing. When StackHawk findings are triaged, the platform is trying to give you the simplest version of the information needed to help you quickly understand what the problem is with simple descriptions and examples of patterns to help you identify the anti-pattern, be able to recreate the issue with tools like simple curl command to replay the attack, and get you into debug mode, stepping through code as fast as possible to help you fix issues and get back to your regular job of creating value for your customers.

All of this is CICD enabled. Again, you can integrate this into your CI process and importantly, get feedback into the CI process on scan findings. This information can be used to break a build if you choose based on severity of untriaged findings. Most of the major CI player logos are shown here on this slide and even if your particular one isn't, chances are pretty good Stackhawk will work in your platform as long as it can run a Docker container. If you can run Docker, you can run Stackhawk. You can also see here Stackhawk integrates with your workflow and information tools. We can notify you of your scan results in a Slack channel, publish that information to Datadog or send you a simple webhook message that you can then use to process and do with the data what you choose.

Let's take a look at what running the Stackhawk scanner against a GraphQL application looks like. So you can see I've got my simple GraphQL application.

2. Testing with StackHawk and Analyzing Scan Output

Short description:

It's the basics of a service that would run a blog, and we're testing it today with Stackhawk. We want to test it with the Stackhawk scanner to see if it has any security vulnerabilities. We're using a simple Docker run command to kick off the scan and analyze the output. The scanner found GraphQL routes in the application and identified high criticality issues, including a SQL injection and a remote OS command injection. By investigating the remote OS command injection issue, we can understand the problem, recreate it, and fix it in our application. StackHawk provides a well-formatted GraphQL request and allows us to easily replay the scan in our app for debugging and fixing. This integration helps developers create value for their customers by ensuring application security and quality.

It's the basics of a service that would run a blog, and we're testing it today with Stackhawk. So you can see it has some posts and some post ideas, some content, and we want to be able to test that with Stackhawk scanner to see if it has any security vulnerabilities.

So we're going to do that with a simple Docker run command. You can see that I just kicked off the scan right before we started talking today, and I've got a simple Docker runs scan here that is docker run stackhawk hackscan, and I'm feeding it a Stackhawk.yml file. We're going to look at that yml file in just a second.

What you can see here is that it says we've turned on our GraphQL engine and we've got the information for what this host is. So you can see that the host is running on my local host on port 3000, and then you can also see the scanner found eleven different GraphQL routes in the application. Now this is important because it actually knows this from the GraphQL introspection endpoint. It's not guessing what's available in this GraphQL application. It's well documented in the introspection endpoint and the scanner's using that to test against it.

I just ran a scan right before this, so let's jump over to the platform and see what kind of output we have. So here you can see our scan that's already running, but the one I ran right before this is right here. So you can see I've got a couple of different issues. There's some interesting stuff in here that we can look at. What kind of tests ran against this application? What kind of findings do we have? Let's dig into one of these issues, shall we? So I've got two high issues, high criticality issues. And there are a SQL injection and a remote OS command injection.

Let's dig into that remote OS command injection really quickly. By clicking on that finding, it takes us to a simple description of what remote OS command injection is, as well as how an attacker might leverage that remote OS command injection and ways to remediate this problem. So you can see actually we have on our mutation here, our super secret private mutation. We have some kind of a problem. So over here on the request response side of the panel, you can see that during a mutation with this variable, we have now caused some kind of an output that looks like, looks like the output of Etsy passwd file to me. So we're quickly kind of getting into the context of what is this problem? How can I recreate it so I can go fix it? There's a couple of things that are really handy here. One, we've formatted all of these GraphQL requests in a GraphQL type of a fashion. So you can see that the operation and the variables make a lot of sense relative to GraphQL. The other thing that we've done is create this validate button up at the top. So if you wanted to, you could just copy and paste this curl request and replay this against the app. But the thing that I really like about GraphQL is because this is so well formatted and I've already got GraphiQL up, as we looked at before, I can kind of copy and paste our request out, paste that back into our app, and then I can copy our variables out and paste that into the app as well. So now I can replay exactly what the scanner did in my app, in GraphiQL, without too much hassle. So I can see what happened here was, the scanner tried to do a cat of slash etsy slash passwd, which on Linux boxes is where all the user information is stored, not the passwords, the users. And what came out of that was actually the content of that file. So that's bad. We want to be able to get into the application, start debugging and fixing how that actually works. This is really good at setting you up for success on how do I get back into my app, debug, fix this problem and get on with the business of creating value for my customers as a developer.

I hope you enjoyed my talk today and perhaps learn something new about how StackHawk can be integrated into your development workflow. If you like to check out StackHawk and see how you can integrate it into your development process, to keep pushing the limits on software development quality, you can always start a free trial at StackHawk is free to use on a single application. Thanks for watching and joining me with the StackHawk demo. I hope you continue to enjoy GraphQL Galaxy.

Check out more articles and videos

We constantly think of articles and videos that might spark Git people interest / skill us up or help building a stellar career

GraphQL Galaxy 2021GraphQL Galaxy 2021
32 min
From GraphQL Zero to GraphQL Hero with RedwoodJS
We all love GraphQL, but it can be daunting to get a server up and running and keep your code organized, maintainable, and testable over the long term. No more! Come watch as I go from an empty directory to a fully fledged GraphQL API in minutes flat. Plus, see how easy it is to use and create directives to clean up your code even more. You're gonna love GraphQL even more once you make things Redwood Easy!
Vue.js London Live 2021Vue.js London Live 2021
24 min
Local State and Server Cache: Finding a Balance
How many times did you implement the same flow in your application: check, if data is already fetched from the server, if yes - render the data, if not - fetch this data and then render it? I think I've done it more than ten times myself and I've seen the question about this flow more than fifty times. Unfortunately, our go-to state management library, Vuex, doesn't provide any solution for this.For GraphQL-based application, there was an alternative to use Apollo client that provided tools for working with the cache. But what if you use REST? Luckily, now we have a Vue alternative to a react-query library that provides a nice solution for working with server cache. In this talk, I will explain the distinction between local application state and local server cache and do some live coding to show how to work with the latter.
Node Congress 2022Node Congress 2022
26 min
It's a Jungle Out There: What's Really Going on Inside Your Node_Modules Folder
Do you know what’s really going on in your node_modules folder? Software supply chain attacks have exploded over the past 12 months and they’re only accelerating in 2022 and beyond. We’ll dive into examples of recent supply chain attacks and what concrete steps you can take to protect your team from this emerging threat.
You can check the slides for Feross' talk here.
JSNation 2023JSNation 2023
30 min
The State of Passwordless Auth on the Web
Can we get rid of passwords yet? They make for a poor user experience and users are notoriously bad with them. The advent of WebAuthn has brought a passwordless world closer, but where do we really stand?
In this talk we'll explore the current user experience of WebAuthn and the requirements a user has to fulfill for them to authenticate without a password. We'll also explore the fallbacks and safeguards we can use to make the password experience better and more secure. By the end of the session you'll have a vision for how authentication could look in the future and a blueprint for how to build the best auth experience today.
GraphQL Galaxy 2022GraphQL Galaxy 2022
29 min
Rock Solid React and GraphQL Apps for People in a Hurry
In this talk, we'll look at some of the modern options for building a full-stack React and GraphQL app with strong conventions and how this can be of enormous benefit to you and your team. We'll focus specifically on RedwoodJS, a full stack React framework that is often called 'Ruby on Rails for React'.

Workshops on related topic

GraphQL Galaxy 2021GraphQL Galaxy 2021
140 min
Build with SvelteKit and GraphQL
Featured WorkshopFree
Have you ever thought about building something that doesn't require a lot of boilerplate with a tiny bundle size? In this workshop, Scott Spence will go from hello world to covering routing and using endpoints in SvelteKit. You'll set up a backend GraphQL API then use GraphQL queries with SvelteKit to display the GraphQL API data. You'll build a fast secure project that uses SvelteKit's features, then deploy it as a fully static site. This course is for the Svelte curious who haven't had extensive experience with SvelteKit and want a deeper understanding of how to use it in practical applications.

Table of contents:
- Kick-off and Svelte introduction
- Initialise frontend project
- Tour of the SvelteKit skeleton project
- Configure backend project
- Query Data with GraphQL
- Fetching data to the frontend with GraphQL
- Styling
- Svelte directives
- Routing in SvelteKit
- Endpoints in SvelteKit
- Deploying to Netlify
- Navigation
- Mutations in GraphCMS
- Sending GraphQL Mutations via SvelteKit
- Q&A
React Advanced Conference 2022React Advanced Conference 2022
95 min
End-To-End Type Safety with React, GraphQL & Prisma
Featured WorkshopFree
In this workshop, you will get a first-hand look at what end-to-end type safety is and why it is important. To accomplish this, you’ll be building a GraphQL API using modern, relevant tools which will be consumed by a React client.
Prerequisites: - Node.js installed on your machine (12.2.X / 14.X)- It is recommended (but not required) to use VS Code for the practical tasks- An IDE installed (VSCode recommended)- (Good to have)*A basic understanding of Node.js, React, and TypeScript
GraphQL Galaxy 2022GraphQL Galaxy 2022
112 min
GraphQL for React Developers
Featured Workshop
There are many advantages to using GraphQL as a datasource for frontend development, compared to REST APIs. We developers in example need to write a lot of imperative code to retrieve data to display in our applications and handle state. With GraphQL you cannot only decrease the amount of code needed around data fetching and state-management you'll also get increased flexibility, better performance and most of all an improved developer experience. In this workshop you'll learn how GraphQL can improve your work as a frontend developer and how to handle GraphQL in your frontend React application.
React Summit 2022React Summit 2022
173 min
Build a Headless WordPress App with Next.js and WPGraphQL
In this workshop, you’ll learn how to build a Next.js app that uses Apollo Client to fetch data from a headless WordPress backend and use it to render the pages of your app. You’ll learn when you should consider a headless WordPress architecture, how to turn a WordPress backend into a GraphQL server, how to compose queries using the GraphiQL IDE, how to colocate GraphQL fragments with your components, and more.
GraphQL Galaxy 2020GraphQL Galaxy 2020
106 min
Relational Database Modeling for GraphQL
In this workshop we'll dig deeper into data modeling. We'll start with a discussion about various database types and how they map to GraphQL. Once that groundwork is laid out, the focus will shift to specific types of databases and how to build data models that work best for GraphQL within various scenarios.
Table of contentsPart 1 - Hour 1      a. Relational Database Data Modeling      b. Comparing Relational and NoSQL Databases      c. GraphQL with the Database in mindPart 2 - Hour 2      a. Designing Relational Data Models      b. Relationship, Building MultijoinsTables      c. GraphQL & Relational Data Modeling Query Complexities
Prerequisites      a. Data modeling tool. The trainer will be using dbdiagram      b. Postgres, albeit no need to install this locally, as I'll be using a Postgres Dicker image, from Docker Hub for all examples      c. Hasura
GraphQL Galaxy 2021GraphQL Galaxy 2021
48 min
Building GraphQL APIs on top of Ethereum with The Graph
The Graph is an indexing protocol for querying networks like Ethereum, IPFS, and other blockchains. Anyone can build and publish open APIs, called subgraphs, making data easily accessible.

In this workshop you’ll learn how to build a subgraph that indexes NFT blockchain data from the Foundation smart contract. We’ll deploy the API, and learn how to perform queries to retrieve data using various types of data access patterns, implementing filters and sorting.

By the end of the workshop, you should understand how to build and deploy performant APIs to The Graph to index data from any smart contract deployed to Ethereum.