In 5 short years, GraphQL has solidified its footprint as the API backing of many applications, and it shows no sign of slowing. More and more companies are choosing GraphQL for its simplicity, ability to fetch the right amount of data, and the way it can traverse a graph of relational data.
Securing GraphQL applications, however, has been a challenge. Sure, there are common best practices and rules in place. But reliance on training or the rudimentary automated checks that currently exist only gets you so far. Eventually security bugs will be deployed and your app will be at risk.
GraphQL Security from StackHawk
We’re excited to announce that HawkScan, StackHawk’s scanning engine, now supports GraphQL applications. StackHawk is the only product on the market that can scan a running GraphQL application, simulating an attack by fuzzing the various query parameters, and surfacing potential security bugs to engineering teams.
With StackHawk, teams using GraphQL for their API layer can now confidently catch potential vulnerabilities before security bugs hit production. With CI/CD automation, you can ensure that potential bugs are caught early in the development lifecycle and fixed by the developers who have the context and expertise of the code base they just merged to.
How it Works
StackHawk is a dynamic application security testing tool. That means it runs security testing against your running application, whether that be on your local machine, in CI environments, or against your application in production.
GraphQL testing is done by exposing the introspection endpoint to the scanner via the StackHawk.yml file. The scanner runs introspection and identifies all of the potential query and mutation operations of the endpoint, and then gets to work finding potential security bugs. As a dynamic security test, the scanner sends requests to all endpoints, effectively fuzzing the whole GraphQL tree, simulating the ways the application could be attacked. The scanner logs all tested endpoints and any security bugs found, with the associated request and response payload. From there, developers can triage bugs, fixing high priority issues and using Findings Management to quiet noise for accepted risk or assigned items. Then, GraphQL scanning can be automated in the pipeline to ensure that no build hits production with unaccepted security risk.
Getting started with GraphQL security in StackHawk is incredibly easy, simply requiring the addition of the schema path to the stackhawk.yml file.
App: ... graphqlConf: enabled: true schemaPath: /graphql
Visit our docs for more information on configuration for GraphQL, as well as other configuration options such as authenticated scanning. As always, our team is available to assist as you begin using StackHawk. Reach out to firstname.lastname@example.org and we will be happy to help.