New feature: Automated API Discovery from Source Code. Get Access

New feature: Automated API Discovery from Source Code. Get Access

New feature: Automated API Discovery from Source Code. Get Access

[New Test] Protect Your GraphQL APIs through Mass Assignment Testing

Akto has developed a test template to secure these APIs against Mass Assignment vulnerabilities. See how to test for this using Akto’s Test Editor.

Raaga Srinivas

Raaga Srinivas

8 mins

[New Test] Protect Your GraphQL APIs through Mass Assignment Testing
[New Test] Protect Your GraphQL APIs through Mass Assignment Testing
[New Test] Protect Your GraphQL APIs through Mass Assignment Testing

In the modern web development landscape, GraphQL has emerged as a powerful and flexible alternative to traditional REST APIs. While GraphQL offers numerous advantages, such as efficient data fetching and schema-based querying, it also introduces new security considerations. One crucial aspect that developers must address is mass assignment vulnerability, which can potentially allow attackers to modify or overwrite sensitive data unintentionally.

Mass Assignment vulnerability in GraphQL

Mass assignment vulnerability occurs when an application fails to properly validate and sanitize user input, allowing attackers to manipulate fields or properties that should be read-only or controlled by the server.

In the context of GraphQL, this vulnerability can arise when resolvers (the functions that handle GraphQL operations) don't adequately validate the input data before performing data modifications. For example, consider a GraphQL mutation that allows users to update their profile information:

mutation UpdateUserProfile($input: UpdateUserInput!) {
  updateUser(input: $input) {
    id
    name
    email
    role
  }
}

If the updateUser resolver doesn't validate the input argument, an attacker could potentially modify the role field and escalate their privileges within the application, leading to unauthorized access or data breaches.

To ensure the security of your GraphQL APIs and protect against mass assignment vulnerabilities, Akto has developed a new test - Mass Assignment Test for GraphQL APIs

Monthly product updates in your inbox. No spam.

Monthly product updates in your inbox. No spam.

Monthly product updates in your inbox. No spam.

Mass Assignment Testing in GraphQL APIs using Akto

Step 1: Go to the Akto’s Test Editor

Sign in to Akto, navigate to ‘Test Editor’, and access the test titled ‘Mass Assignment Test for GraphQL APIs’.

You will see these 3 operations:

location: terminal_keys: This feature is used to create a wordlist of all terminal fields/keys that are childless nodes from a GraphQL API response.

valueType: object: This feature is used to generate a wordlist of all keys of the type object from a GraphQL API response.

add_unique_graphql_field: This operation is used to append unique GraphQL fields (terminal keys) that do not exist in the original GraphQL API request.

3 operations in Mass Assignment Test


Step 2: Run the Test on your GraphQL API

Hit Run Test!

Here is an example of the results from a sample GraphQL API request and response.

This is the original GraphQL request without any extra terminal keys from the response payload.

This is the original GraphQL request without any extra terminal keys from the response payload.

This is the original GraphQL API response containing multiple JSON keys and objects. Akto's test editor will use these keys to test for Mass Assignment vulnerabilities.

This is the original GraphQL API response containing multiple JSON keys and objects. Akto's test editor will use these keys to test for Mass Assignment vulnerabilities.

If Akto detects additional keys or fields in the response payload compared to the original request payload, we include them in the request payload and re-play the request. If this results in a 2xx response status code, it indicates a mass assignment vulnerability.

In this example, email is an additional key that was detected by Akto in the response payload. So, Akto adds this key as a field in the request payload and re-plays it.

In this example, email is an additional key that was detected by Akto in the response payload.

Now that we have received the 2xx response, Akto confirms that there is a mass assignment vulnerability.

You have now detected a Mass Assignment vulnerability with Akto! You’re now set to remediate this issue. You can also assign the task to the appropriate team member through our Jira Integration.

Final Thoughts

With the gaining popularity of GraphQL, it’s important to address security considerations such as the mass assignment vulnerability.

As developers, it's crucial to understand these potential vulnerabilities and take the necessary steps to protect your APIs. By leveraging Akto's Mass Assignment Test for GraphQL APIs, you can proactively detect and mitigate these vulnerabilities, thereby ensuring the security and integrity of your applications. Here are some resources to learn more about Mass Assignment and testing GraphQL APIs with Akto:

Want to ask something?

Our community offers a network of support and resources. You can ask any question there and will get a reply in 24 hours.

Want to ask something?

Our community offers a network of support and resources. You can ask any question there and will get a reply in 24 hours.

Want to ask something?

Our community offers a network of support and resources. You can ask any question there and will get a reply in 24 hours.

Follow us for more updates

Experience enterprise-grade API Security solution