Skip to main content

Technical information leak - API

Need

Protection of sensitive technical information in the API

Context

  • Usage of C# for building robust and scalable applications
  • Usage of Microsoft.Extensions.DependencyInjection for dependency injection in .NET applications
  • Usage of HotChocolate.AspNetCore for building GraphQL APIs in ASP.NET Core
  • Usage of HotChocolate.AspNetCore.SystemTextJson for integrating HotChocolate GraphQL with System.Text.Json in ASP.NET Core
  • Usage of HotChocolate.Execution for executing GraphQL queries and mutations in a .NET application
  • Usage of HotChocolate.Types for defining GraphQL types in Hot Chocolate framework

Description

Non compliant code

public class Startup
{
    public void ConfigureServices(IServiceCollection services)
    {
        services.AddGraphQL(options =>
        {
            options.EnableMetrics = true;
        }).AddSystemTextJson();
    }

    public void Configure(IApplicationBuilder app, IWebHostEnvironment env)
    {
        app.UseGraphQL<ISchema>();
    }
}

The above code represents a configuration of a GraphQL API in an ASP.NET Core application.

The ConfigureServices method is used to add GraphQL services to the application's service collection. The options.EnableMetrics = true; line is the main source of the vulnerability. When this option is enabled, it allows any client to request detailed metrics about the executed queries. This includes exposing the entire GraphQL API Schema Structure (both queries and mutations), which can be a potential information leak vulnerability.

The Configure method is responsible for setting up the application's request pipeline. The app.UseGraphQL<ISchema>(); line is where GraphQL middleware is added to the pipeline.

By using the middleware without any restrictions or proper authorization checks, we are exposing our GraphQL API to the outside world. This means that any client can send introspection queries to our API and get detailed information about our schema. This can be a serious security risk, as it allows potential attackers to gather valuable technical information about our API.

To mitigate this vulnerability, it's recommended to disable metrics and introspection in production environment and add proper authorization checks before allowing clients to access the GraphQL API.

Steps

  • Disable the GraphQL introspection feature
  • Implement authentication and authorization for accessing the GraphQL API
  • Apply rate limiting to prevent excessive API requests
  • Implement input validation and sanitization to prevent injection attacks
  • Regularly update and patch the GraphQL library to fix any security vulnerabilities

Compliant code

public class Startup
{
    public void ConfigureServices(IServiceCollection services)
    {
        services.AddGraphQL(options =>
        {
            options.EnableMetrics = false;
            options.ExposeExceptions = false;
        }).AddSystemTextJson();

        services.AddAuthentication()
            .AddJwtBearer(options =>
            {
                options.Authority = "{AUTHORITY}";
                options.Audience = "{AUDIENCE}";
            });

        services.AddAuthorization(options =>
        {
            options.AddPolicy("Authenticated", policy => policy.RequireAuthenticatedUser());
        });

        services.Configure<RateLimitOptions>(options =>
        {
            options.GeneralRules = new List<RateLimitRule>
            {
                new RateLimitRule
                {
                    Endpoint = "*",
                    Limit = 1000,
                    Period = "1m"
                }
            };
        });
    }

    public void Configure(IApplicationBuilder app, IWebHostEnvironment env)
    {
        app.UseAuthentication();
        app.UseAuthorization();
        app.UseGraphQL<ISchema>();
        app.UseIpRateLimiting();
    }
}

The above code fixes the vulnerability by implementing the following changes:

  1. Disable GraphQL Introspection and Metrics: The EnableMetrics and ExposeExceptions options are set to false to prevent exposing the GraphQL API schema structure and any exception details.

  2. Implement Authentication and Authorization: The AddAuthentication and AddAuthorization methods are used to add authentication and authorization to the application. The AddJwtBearer method is used to configure JWT bearer authentication. Replace {AUTHORITY} and {AUDIENCE} with your actual authority and audience.

  3. Apply Rate Limiting: The Configure method is used to add rate limiting to the application. The RateLimitOptions are configured to limit requests to 1000 per minute for all endpoints (*).

  4. Use Authentication, Authorization, and Rate Limiting: The UseAuthentication, UseAuthorization, and UseIpRateLimiting methods are added to the Configure method to use the authentication, authorization, and rate limiting in the application.

Remember to add the necessary using directives for the rate limiting and JWT bearer authentication packages, and to install these packages if they are not already installed.

Also, remember to implement input validation and sanitization in your GraphQL resolvers to prevent injection attacks, and to regularly update and patch your GraphQL library to fix any security vulnerabilities.

References

Last updated on