-
Notifications
You must be signed in to change notification settings - Fork 3.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
New CS: GraphQL Security Cheat Sheet #421
Comments
Awesome! ;-) |
@bigshebang, is there an ETA for the draft? We (together with @PauloASilva) are starting to work on the subject as well. |
@ErezYalon the ETA is now :D #434 |
What @bigshebang presented is an effort already made on creating a GraphQL knowledge base. Next up is growing that to cover the defenses spectrum and tidying it up to have a sheet feeling. |
We are a small team working on several API Security projects. |
Hi guys, My initial comments and thoughts on how to improve the GraphQL Cheat Sheet proposal were left in the PR. On an initial stage I think we can work on our general suggestion: make the CS more actionable, but only after hearing your thoughts about our comments. Cheers, |
Thanks @PauloASilva ! We didn't provide our full feedback as well. Thanks for tackling this! |
I will try to review it over the weekend |
What is the stats? Can I help here? |
Hi there! I can describe some common vulnerabilities related to GraphQL APIs that I've found during my bug bounty journey. Also methodology of researching GraphQL APIs from bug hunter perspective. However as far as I understand this cheatsheet intended for developers. From your perspective, is that kind of information valuable to the cheatsheet? |
@jmanico @nikitastupin please review this work #434 and share your thoughts. |
I've took a look at #434 and I agree with most comments that other reviewers left. Also from my perspective proposed cheat sheet provides too general information or information that can be found in other OWASP resources 😃 It was easier for me to make cheat sheet from scratch than integrate my thoughts in existing one. Thus I've decided to make #469 which reflects my vision on how GraphQL cheat sheet should look like. It's not complete and definitely not perfect. However I've tried to keep it small, practical and clean for faster review and merge. We can add more information to it in the future in small steps. |
I've been working on incorporating everyone's feedback and will have at least one new commit up tomorrow. I'm about halfway through so we'll see if I can finish the rest tomorrow. @nikitastupin I will also add some of your content into the CS where it makes sense. |
@bigshebang it's great news! However I think that it's easier to create some minimal cheat sheet done and then add other things to it. So if you'll feel that adding content form #469 to new version of #434 is slowing down the process you may leave this work to me 😃 |
I like the content from both @nikitastupin and @bigshebang CS is awesome, we need to merge them. |
@mackowski I have added content from @nikitastupin 's PR that I thought was relevant as well as incorporated all other existing feedback. There are a couple things I would appreciate some help with from someone who has more GraphQL experience or a testing setup handy; I left comments for these things. If nobody else gets to them I will at some set up my own test environment (just not sure when). |
@bigshebang awesome thanks for update! |
Close to being done, gonna push some commits in the next couple days. But I just wanted to leave a few items that need improvement in this CS in the future:
|
@mackowski the CS is all done! I would just like Paulo to give a quick review on one new section (I tagged him on the section I want them to review). Would be great if you or @ThunderSon could also give the whole thing a once over to make sure it's all nice and tidy and ready to go. |
I've reviewed the new section and left a few suggestions based on what I have found in the wild. @ErezYalon Maybe you'll be able to help reviewing the whole CS and provide some feedback. @bigshebang Congrats for the hard and great work! Cheers, |
@PauloASilva I'm on it. |
After review, there are two comments:
|
I have a one-liner that explains why Introspection is bad. I don't think this CS needs to go deeper than this:
I'll defer to @ThunderSon on that. Is JS Prototype Pollution more common in GraphQL than other APIs? If so we can add a note about it. Erez and @PauloASilva would love your thoughts here as well as the actual content we can add. |
|
I share the same vision than @ThunderSon: prototype pollution is more a library-thing. Regarding Introspection, it is a controversial subject: some people argue that it can be used as "documentation". I don't share such vision and I am comfortable with what we have now. |
Perfect! @ThunderSon I think we're all set here then. I'm eager to get this merged in 😄 |
Fixed in #434 |
After various discussion on Slack, it is important to create a GraphQL Cheat Sheet in order to guide developers to writing secure GraphQL endpoints.
@bigshebang to provide us with a draft on work already done from their side.
@PauloASilva FYI. This should be moving properly with the API security project's line as well.
Let's see this effort through. After Luke's draft, we can modify the template and see what's missing and could be improved 😄
The text was updated successfully, but these errors were encountered: