[New Test] Protect Your GraphQL APIs through Mass Assignment Testing
Akto has developed a test template to secure these APIs against Mass Assignment vulnerabilities. See how to test for this using Akto’s Test Editor.
Raaga Srinivas
8 mins
![[New Test] Protect Your GraphQL APIs through Mass Assignment Testing](https://framerusercontent.com/images/w0wRkfrYDusnYmW1uLkqCAjtI.png)
In the modern web development landscape, GraphQL has emerged as a powerful and flexible alternative to traditional REST APIs. While GraphQL offers numerous advantages, such as efficient data fetching and schema-based querying, it also introduces new security considerations. One crucial aspect that developers must address is mass assignment vulnerability, which can potentially allow attackers to modify or overwrite sensitive data unintentionally.
Mass Assignment vulnerability in GraphQL
Mass assignment vulnerability occurs when an application fails to properly validate and sanitize user input, allowing attackers to manipulate fields or properties that should be read-only or controlled by the server.
In the context of GraphQL, this vulnerability can arise when resolvers (the functions that handle GraphQL operations) don't adequately validate the input data before performing data modifications. For example, consider a GraphQL mutation that allows users to update their profile information:
If the updateUser resolver doesn't validate the input argument, an attacker could potentially modify the role field and escalate their privileges within the application, leading to unauthorized access or data breaches.
To ensure the security of your GraphQL APIs and protect against mass assignment vulnerabilities, Akto has developed a new test - Mass Assignment Test for GraphQL APIs
Mass Assignment Testing in GraphQL APIs using Akto
Step 1: Go to the Akto’s Test Editor
Sign in to Akto, navigate to ‘Test Editor’, and access the test titled ‘Mass Assignment Test for GraphQL APIs’.
You will see these 3 operations:
location: terminal_keys: This feature is used to create a wordlist of all terminal fields/keys that are childless nodes from a GraphQL API response.
valueType: object: This feature is used to generate a wordlist of all keys of the type object from a GraphQL API response.
add_unique_graphql_field: This operation is used to append unique GraphQL fields (terminal keys) that do not exist in the original GraphQL API request.
Step 2: Run the Test on your GraphQL API
Hit Run Test!
Here is an example of the results from a sample GraphQL API request and response.
This is the original GraphQL request without any extra terminal keys from the response payload.
This is the original GraphQL API response containing multiple JSON keys and objects. Akto's test editor will use these keys to test for Mass Assignment vulnerabilities.
If Akto detects additional keys or fields in the response payload compared to the original request payload, we include them in the request payload and re-play the request. If this results in a 2xx response status code, it indicates a mass assignment vulnerability.
In this example, email is an additional key that was detected by Akto in the response payload. So, Akto adds this key as a field in the request payload and re-plays it.
Now that we have received the 2xx response, Akto confirms that there is a mass assignment vulnerability.
You have now detected a Mass Assignment vulnerability with Akto! You’re now set to remediate this issue. You can also assign the task to the appropriate team member through our Jira Integration.
Final Thoughts
With the gaining popularity of GraphQL, it’s important to address security considerations such as the mass assignment vulnerability.
As developers, it's crucial to understand these potential vulnerabilities and take the necessary steps to protect your APIs. By leveraging Akto's Mass Assignment Test for GraphQL APIs, you can proactively detect and mitigate these vulnerabilities, thereby ensuring the security and integrity of your applications. Here are some resources to learn more about Mass Assignment and testing GraphQL APIs with Akto:
Keep reading
Product updates
5 minutes
Introducing Akto Code: Automated API Discovery from source Code
Akto Code is the new addition to Akto's API Discovery suite, complementing our existing capabilities for traffic source analysis in production and lower environments.
API Security
10 minutes
42Crunch Alternatives
42Crunch is an API security platform that automates auditing, testing, and protection of APIs.
API Security
8 minutes
Gartner API Security
Gartner emphasizes the importance of API security and evaluates vendors in its Magic Quadrant based on their execution ability and vision completeness.