Modern GraphQL API Security Testing

Rate this content

With StackHawk, engineering teams can run security tests against GraphQL APIs to find and fix vulnerabilities before they hit production. With automated testing on every PR, you can be confident that your app is secure. Join StackHawk co-founder and Chief Security Officer Scott Gerlach for a quick overview of GraphQL security testing with StackHawk.

8 min
08 Dec, 2022


Sign in or register to post your comment.

Video Summary and Transcription

DAST helps prioritize fixing application security issues by identifying discoverable and exploitable vulnerabilities. StackHawk runs active security tests against APIs to ensure safe handling of user input and output. It also implements OWASP top 10 API best practices. The tool can be used locally and in CI/CD pipelines.

Available in Español

1. Introduction to DAST and its Benefits

Short description:

At StackHawk, we do application security testing, specifically dynamic application security testing (DAST). DAST helps prioritize fixing application security issues by identifying discoverable and exploitable vulnerabilities. It addresses the challenges of testing JavaScript frontends and legacy DAST scanners, which often fail to cover the API layer. By directly driving the API using GraphQL introspection, you can achieve better results, faster and more accurate scans, and better coverage of the data layer.

What's up, GraphQL Galaxy? I'm Scott Grillock, CSO and co-founder at StackHawk. Thanks for taking time to check out StackHawk and I hope you're learning a ton of new things at GraphQL Galaxy 2022. Hopefully, I can teach you one more.

At StackHawk, we do application security testing. Specifically, dynamic application security testing, or DAST. Let's talk about the benefits of DAST. DAST can help you prioritize your time on what to fix in application security issues because it helps identify what's discoverable and likely exploitable, because it's testing the running GraphQL API. This is the superpower of DAST, where should I focus my time fixing API security issues?

You might be thinking to yourself, but frameworks have basically prevented any of the common AppSec problems from happening, and yes, many frameworks have done a good job of preventing issues like SQL injection and cross-site scripting. Almost all of them have an unsafe version of all of those protection mechanisms to help you do complicated things and unfortunately make mistakes, not to mention things like tenancy filtering and function authorization can be hard to get right. Some people don't know about DAST, and those that do may have run into problems with DAST. Let's look at an example.

So here we are back in the good old days of legacy DAST and when we built server-side applications that ran the data and presentation layers, everything was fine and dandy. The legacy DAST scanner could scan and test the legacy application without many problems. You get good results and identify some serious AppSec bugs, and then something changed. Then we started building javascript frontends. And the javascript frontend really trolled that legacy DAST scanner. When I say trolled the legacy DAST scanner, I meant really troll it. Like, when does the page scroll end? It never does. Where are all the forms? Well it hasn't rendered yet, because your mouse isn't in this exact pixel. Legacy DAST was running along its happy way, totally assuming it was getting all the info it needed to test these new applications. Faults were terrible, scans took forever, false positive for days, etc. And the worst part is, it never realized that there was someone else in that backseat as well. Our backing APIs are in there, controlling all the data, talking to datastore backends, helping to render elements on the page, and the legacy DAST scanner thinks the frontend is passing all these requests to the backend. Do we end up even testing the API here? Are we covering all of it? Are we even making simple requests to the API at all? Well, because of JavaScript frontends, it sort of depends. It depends on the browser and the browser emulator that your legacy DAST tool is using and how well it's driving that browser. You can think of this like Selenium scripts, but instead of a specific set of functions, you're executing it to find all the possible user input paths by itself and hoping it's going to do a really good job. Even Google doesn't do this well. So how can we get back to better application security, API security testing? Better results, faster, more accurate scans, better coverage, especially around this data layer where all the assets that we're protecting are being stored. By driving this API directly using industry standards like GraphQL introspection, you can have direct access to the API, understand what it does and the data it's controlling to get fast, thorough, accurate API security testing results. Not to mention, now you can test microservices as you're building them and find these application API security bugs before they ever get shipped to production.

2. Benefits of StackHawk for Dynamic AppSec Testing

Short description:

There's still good stuff to find by testing their front end, cookie settings, DOM XSS, lots of different headers. What are some of the keys to look for in a dynamic AppSec testing tool that will help you test APIs directly? This is where StackHawk comes in. StackHawk runs active security tests against your running API to ensure your application is handling user input and output in a safe manner, as well as implementing OWASP top 10 API best practices for API security. We do this against your running application on your local host in CI-CD and against applications that have yet to be published on the Internet.

There's still good stuff to find by testing their front end, cookie settings, DOM XSS, lots of different headers. But starting where the data is held is a better idea.

What are some of the keys to look for in a dynamic AppSec testing tool that will help you test APIs directly? This is where StackHawk comes in. StackHawk runs active security tests against your running API to ensure your application is handling user input and output in a safe manner, as well as implementing OWASP top 10 API best practices for API security.

We do this against your running application on your local host in CI-CD and against applications that have yet to be published on the Internet. We also made dynamic testing fast by placing the scanner as close to the application as possible and using open standards to inform the scanner, like GraphQL introspection queries. Not only do we make run-anywhere testing possible, we've also enabled real data in testing, so providing real data to drive the API, whether that's made up with faker libraries or provided directly through the configuration. Using real data is important to be able to test accurately GraphQL APIs.

Check out more articles and videos

We constantly think of articles and videos that might spark Git people interest / skill us up or help building a stellar career

GraphQL Galaxy 2021GraphQL Galaxy 2021
32 min
From GraphQL Zero to GraphQL Hero with RedwoodJS
Top Content
We all love GraphQL, but it can be daunting to get a server up and running and keep your code organized, maintainable, and testable over the long term. No more! Come watch as I go from an empty directory to a fully fledged GraphQL API in minutes flat. Plus, see how easy it is to use and create directives to clean up your code even more. You're gonna love GraphQL even more once you make things Redwood Easy!
Vue.js London Live 2021Vue.js London Live 2021
24 min
Local State and Server Cache: Finding a Balance
Top Content
How many times did you implement the same flow in your application: check, if data is already fetched from the server, if yes - render the data, if not - fetch this data and then render it? I think I've done it more than ten times myself and I've seen the question about this flow more than fifty times. Unfortunately, our go-to state management library, Vuex, doesn't provide any solution for this.For GraphQL-based application, there was an alternative to use Apollo client that provided tools for working with the cache. But what if you use REST? Luckily, now we have a Vue alternative to a react-query library that provides a nice solution for working with server cache. In this talk, I will explain the distinction between local application state and local server cache and do some live coding to show how to work with the latter.
GraphQL Galaxy 2022GraphQL Galaxy 2022
16 min
Step aside resolvers: a new approach to GraphQL execution
Though GraphQL is declarative, resolvers operate field-by-field, layer-by-layer, often resulting in unnecessary work for your business logic even when using techniques such as DataLoader. In this talk, Benjie will introduce his vision for a new general-purpose GraphQL execution strategy whose holistic approach could lead to significant efficiency and scalability gains for all GraphQL APIs.

Workshops on related topic

GraphQL Galaxy 2021GraphQL Galaxy 2021
140 min
Build with SvelteKit and GraphQL
Top Content
Featured WorkshopFree
Have you ever thought about building something that doesn't require a lot of boilerplate with a tiny bundle size? In this workshop, Scott Spence will go from hello world to covering routing and using endpoints in SvelteKit. You'll set up a backend GraphQL API then use GraphQL queries with SvelteKit to display the GraphQL API data. You'll build a fast secure project that uses SvelteKit's features, then deploy it as a fully static site. This course is for the Svelte curious who haven't had extensive experience with SvelteKit and want a deeper understanding of how to use it in practical applications.

Table of contents:
- Kick-off and Svelte introduction
- Initialise frontend project
- Tour of the SvelteKit skeleton project
- Configure backend project
- Query Data with GraphQL
- Fetching data to the frontend with GraphQL
- Styling
- Svelte directives
- Routing in SvelteKit
- Endpoints in SvelteKit
- Deploying to Netlify
- Navigation
- Mutations in GraphCMS
- Sending GraphQL Mutations via SvelteKit
- Q&A
React Advanced Conference 2022React Advanced Conference 2022
95 min
End-To-End Type Safety with React, GraphQL & Prisma
Featured WorkshopFree
In this workshop, you will get a first-hand look at what end-to-end type safety is and why it is important. To accomplish this, you’ll be building a GraphQL API using modern, relevant tools which will be consumed by a React client.
Prerequisites: - Node.js installed on your machine (12.2.X / 14.X)- It is recommended (but not required) to use VS Code for the practical tasks- An IDE installed (VSCode recommended)- (Good to have)*A basic understanding of Node.js, React, and TypeScript
GraphQL Galaxy 2022GraphQL Galaxy 2022
112 min
GraphQL for React Developers
Featured Workshop
There are many advantages to using GraphQL as a datasource for frontend development, compared to REST APIs. We developers in example need to write a lot of imperative code to retrieve data to display in our applications and handle state. With GraphQL you cannot only decrease the amount of code needed around data fetching and state-management you'll also get increased flexibility, better performance and most of all an improved developer experience. In this workshop you'll learn how GraphQL can improve your work as a frontend developer and how to handle GraphQL in your frontend React application.
React Summit 2022React Summit 2022
173 min
Build a Headless WordPress App with Next.js and WPGraphQL
Top Content
In this workshop, you’ll learn how to build a Next.js app that uses Apollo Client to fetch data from a headless WordPress backend and use it to render the pages of your app. You’ll learn when you should consider a headless WordPress architecture, how to turn a WordPress backend into a GraphQL server, how to compose queries using the GraphiQL IDE, how to colocate GraphQL fragments with your components, and more.
TestJS Summit 2023TestJS Summit 2023
48 min
API Testing with Postman Workshop
In the ever-evolving landscape of software development, ensuring the reliability and functionality of APIs has become paramount. "API Testing with Postman" is a comprehensive workshop designed to equip participants with the knowledge and skills needed to excel in API testing using Postman, a powerful tool widely adopted by professionals in the field. This workshop delves into the fundamentals of API testing, progresses to advanced testing techniques, and explores automation, performance testing, and multi-protocol support, providing attendees with a holistic understanding of API testing with Postman.
1. Welcome to Postman- Explaining the Postman User Interface (UI)2. Workspace and Collections Collaboration- Understanding Workspaces and their role in collaboration- Exploring the concept of Collections for organizing and executing API requests3. Introduction to API Testing- Covering the basics of API testing and its significance4. Variable Management- Managing environment, global, and collection variables- Utilizing scripting snippets for dynamic data5. Building Testing Workflows- Creating effective testing workflows for comprehensive testing- Utilizing the Collection Runner for test execution- Introduction to Postbot for automated testing6. Advanced Testing- Contract Testing for ensuring API contracts- Using Mock Servers for effective testing- Maximizing productivity with Collection/Workspace templates- Integration Testing and Regression Testing strategies7. Automation with Postman- Leveraging the Postman CLI for automation- Scheduled Runs for regular testing- Integrating Postman into CI/CD pipelines8. Performance Testing- Demonstrating performance testing capabilities (showing the desktop client)- Synchronizing tests with VS Code for streamlined development9. Exploring Advanced Features - Working with Multiple Protocols: GraphQL, gRPC, and more
Join us for this workshop to unlock the full potential of Postman for API testing, streamline your testing processes, and enhance the quality and reliability of your software. Whether you're a beginner or an experienced tester, this workshop will equip you with the skills needed to excel in API testing with Postman.
GraphQL Galaxy 2020GraphQL Galaxy 2020
106 min
Relational Database Modeling for GraphQL
Top Content
In this workshop we'll dig deeper into data modeling. We'll start with a discussion about various database types and how they map to GraphQL. Once that groundwork is laid out, the focus will shift to specific types of databases and how to build data models that work best for GraphQL within various scenarios.
Table of contentsPart 1 - Hour 1      a. Relational Database Data Modeling      b. Comparing Relational and NoSQL Databases      c. GraphQL with the Database in mindPart 2 - Hour 2      a. Designing Relational Data Models      b. Relationship, Building MultijoinsTables      c. GraphQL & Relational Data Modeling Query Complexities
Prerequisites      a. Data modeling tool. The trainer will be using dbdiagram      b. Postgres, albeit no need to install this locally, as I'll be using a Postgres Dicker image, from Docker Hub for all examples      c. Hasura