[New Test] Protect Your GraphQL APIs through Mass Assignment Testing
Akto has developed a test template to secure these APIs against Mass Assignment vulnerabilities. See how to test for this using Akto’s Test Editor.
Raaga Srinivas
8 mins
In the modern web development landscape, GraphQL has emerged as a powerful and flexible alternative to traditional REST APIs. While GraphQL offers numerous advantages, such as efficient data fetching and schema-based querying, it also introduces new security considerations. One crucial aspect that developers must address is mass assignment vulnerability, which can potentially allow attackers to modify or overwrite sensitive data unintentionally.
Mass Assignment vulnerability in GraphQL
Mass assignment vulnerability occurs when an application fails to properly validate and sanitize user input, allowing attackers to manipulate fields or properties that should be read-only or controlled by the server.
In the context of GraphQL, this vulnerability can arise when resolvers (the functions that handle GraphQL operations) don't adequately validate the input data before performing data modifications. For example, consider a GraphQL mutation that allows users to update their profile information:
If the updateUser
resolver doesn't validate the input
argument, an attacker could potentially modify the role
field and escalate their privileges within the application, leading to unauthorized access or data breaches.
To ensure the security of your GraphQL APIs and protect against mass assignment vulnerabilities, Akto has developed a new test - Mass Assignment Test for GraphQL APIs
Mass Assignment Testing in GraphQL APIs using Akto
Step 1: Go to the Akto’s Test Editor
Sign in to Akto, navigate to ‘Test Editor’, and access the test titled ‘Mass Assignment Test for GraphQL APIs’.
You will see these 3 operations:
location: terminal_keys: This feature is used to create a wordlist of all terminal fields/keys that are childless nodes from a GraphQL API response.
valueType: object: This feature is used to generate a wordlist of all keys of the type object from a GraphQL API response.
add_unique_graphql_field: This operation is used to append unique GraphQL fields (terminal keys) that do not exist in the original GraphQL API request.
Step 2: Run the Test on your GraphQL API
Hit Run Test!
Here is an example of the results from a sample GraphQL API request and response.
This is the original GraphQL request without any extra terminal keys from the response payload.
This is the original GraphQL API response containing multiple JSON keys and objects. Akto's test editor will use these keys to test for Mass Assignment vulnerabilities.
If Akto detects additional keys or fields in the response payload compared to the original request payload, we include them in the request payload and re-play the request. If this results in a 2xx response status code, it indicates a mass assignment vulnerability.
In this example, email
is an additional key that was detected by Akto in the response payload. So, Akto adds this key as a field in the request payload and re-plays it.
Now that we have received the 2xx response, Akto confirms that there is a mass assignment vulnerability.
You have now detected a Mass Assignment vulnerability with Akto! You’re now set to remediate this issue. You can also assign the task to the appropriate team member through our Jira Integration.
Final Thoughts
With the gaining popularity of GraphQL, it’s important to address security considerations such as the mass assignment vulnerability.
As developers, it's crucial to understand these potential vulnerabilities and take the necessary steps to protect your APIs. By leveraging Akto's Mass Assignment Test for GraphQL APIs, you can proactively detect and mitigate these vulnerabilities, thereby ensuring the security and integrity of your applications. Here are some resources to learn more about Mass Assignment and testing GraphQL APIs with Akto:
Keep reading
API Security
3 minutes
What is API Discovery?
API Discovery helps identify, map, and manage APIs within an organization, ensuring security, performance, and seamless integration across systems.
API Security
5 minutes
Top 10 DAST Tools in 2024
DAST tools secure web apps by identifying vulnerabilities through automated security testing.
API Security
8 minutes
Security Information and Event Management (SIEM)
SIEM aggregates and analyzes security data across an organization to detect, monitor, and respond to potential threats in real time.
Experience enterprise-grade API Security solution