
Why implement GraphQL security? We will set the stage by introducing some examples of critical GraphQL vulnerabilities found in popular softwares. - CVE-2021-41248: This vulnerability in GraphiQL, a GraphQL IDE, relates to schema introspection responses that could lead to XSS attacks. - CVE-2023-38503: In Directus, a real-time API and dashboard for managing SQL database, there was a vulnerability in GraphQL subscriptions where permission filters were not properly checked, leading to unauthorized event notifications. - CVE-2023-34047: A vulnerability in Spring for GraphQL where a batch loader function could be exposed to GraphQL context with security context values from a different session, potentially leading to unauthorized access or information disclosure. Top 10 GraphQL Security Checks - #1 Disable Introspection in Production - #2 Robust Authentication - #3 Limit Query Depths - #4 Rate Limiting - #5 Input Validation - #6 Secure Direct Object References - #7 Error Handling - #8 Query Complexity Analysis - #9 Mass Assignment Checks - #10 Excessive Data Exposure How to automate GraphQL Security? - we will talk about automating the 10 security checks in code and CI/CD