Top 10 GraphQL Security Checks for Every Developer - Ankita Gupta, Ankush Jain - Akto.io

Top 10 GraphQL Security Checks for Every Developer - Ankita Gupta, Co-founder and CEO, & Ankush Jain, Co-Founder & CTO of ‪@aktodotio‬

Why implement GraphQL security? We will set the stage by introducing some examples of critical GraphQL vulnerabilities found in popular softwares. - CVE-2021-41248: This vulnerability in GraphiQL, a GraphQL IDE, relates to schema introspection responses that could lead to XSS attacks. - CVE-2023-38503: In Directus, a real-time API and dashboard for managing SQL database, there was a vulnerability in GraphQL subscriptions where permission filters were not properly checked, leading to unauthorized event notifications. - CVE-2023-34047: A vulnerability in Spring for GraphQL where a batch loader function could be exposed to GraphQL context with security context values from a different session, potentially leading to unauthorized access or information disclosure. Top 10 GraphQL Security Checks - #1 Disable Introspection in Production - #2 Robust Authentication - #3 Limit Query Depths - #4 Rate Limiting - #5 Input Validation - #6 Secure Direct Object References - #7 Error Handling - #8 Query Complexity Analysis - #9 Mass Assignment Checks - #10 Excessive Data Exposure How to automate GraphQL Security? - we will talk about automating the 10 security checks in code and CI/CD

GraphQL is a query language for APIs and a runtime for fulfilling those queries with your existing data. GraphQL provides a complete and understandable description of the data in your API, gives clients the power to ask for exactly what they need and nothing more, makes it easier to evolve APIs over time, and enables powerful developer tools. Get Started Here: https://graphql.org/