Tuesday, November 12, 2024
HomeCyber Security NewsBurp Suite New GraphQL API to Detect Hidden Endpoints

Burp Suite New GraphQL API to Detect Hidden Endpoints

Published on

Malware protection

The Burp Scanner’s new GraphQL capabilities allow it to recognize known endpoints, locate hidden endpoints, determine whether introspection or recommendations are enabled, and report when an endpoint fails to validate the content type.

Portswigger, the firm behind the renowned web application security testing tool Burp Suite, has announced that Burp Scanner’s new GraphQL checks will automatically indicate multiple instances of GraphQL vulnerabilities during penetration testing.

In most cases, implementation and design problems lead to GraphQL vulnerabilities. Attacks using GraphQL often take the form of malicious requests that provide the attacker access to data or allow them to carry out unauthorized operations.

- Advertisement - SIEM as a Service

These attacks may be quite damaging, especially if the user manages to obtain administrator rights by tampering with queries or using a CSRF vulnerability. Information disclosure problems may also result from GraphQL API vulnerabilities.

Identify GraphQL API Flaws

Burp Scanner makes it easy to find the GraphQL endpoint on websites rather than having to manually search through them.

“We’ve defined some passive and active scan checks to find known endpoints automatically, allowing you to focus on finding the vulnerabilities,” the company stated.

When deploying a GraphQL endpoint to production by accident, for instance, a developer can do so without using it on the website. 

Even if a site isn’t utilizing GraphQL, Burp Suite will search for common endpoints and finds hidden deployments.

Source : portswigger

Given that a vulnerability will likely be discovered if it’s an unintentional deployment, these endpoints might be an invaluable resource for a tester.

Introspection lets you execute a query on the real schema to discover what queries it supports. Because a website might not wish to reveal the inner workings of its API to the public, it is frequently disabled in production. 

Burp will detect whether introspection is enabled; while this isn’t a vulnerability in and of itself, it may be beneficial to a tester to help test the site and to a developer to serve as a reminder to turn it off in production.

Further, the company stated that to assist in creating a proper query, certain GraphQL servers, such as Apollo, will offer recommendations when you submit an incorrect query.

Hence, even with introspection turned off, a tester may still utilize this to identify the underlying schema by using a word dictionary and the suggested answer as an oracle.

A valid schema may be created from a dictionary using a tool like clairvoyance. You may locate endpoints with recommendations enabled and report them using Burp.

A POST method with an application/json content type is used by the majority of GraphQL endpoints.

A browser cannot make this request without utilizing CORS (Cross-origin resource sharing ) if the content type is appropriately verified since sending the proper content type will be impossible.

This protects the endpoint against CSRF (Cross-site request forgery). 

However, it may be feasible to abuse the GraphQL endpoint by forging queries if a site does not check the content type and does not utilize a CSRF token, provided mitigations like SameSite cookies may be disregarded or neutralized due to the SameSite None flag. 

Burp will alert the user if a POST request with application/x-www-form-urlencoding or a GET request to the endpoint may be forged.

Conclusion

One of the most well-liked approaches to creating APIs and data-driven apps is now GraphQL. Traditional REST APIs provide a predetermined set of endpoints and replies, but GraphQL enables clients to query for just the data they want, increasing flexibility and efficiency for both client and server.

Knowing the most recent tools will help penetration testers uncover the most recent vulnerabilities. Today’s websites frequently employ GraphQL APIs, which expose the attack surface for a variety of security problems.

“AI-based email security measures Protect your business From Email Threats!” – .

Gurubaran
Gurubaran
Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Latest articles

10 Best DNS Management Tools – 2025

Best DNS Management Tools play a crucial role in efficiently managing domain names and...

Sweet Security Announces Availability of its Cloud Native Detection & Response Platform on the AWS Marketplace

Customers can now easily integrate Sweet’s runtime detection and response platform into their AWS...

Researchers Detailed Credential Abuse Cycle

Cybercriminals exploit leaked credentials, obtained through various means, to compromise systems and data, enabling...

New Android Malware SpyAgent Taking Screenshots Of User’s Devices

SpyAgent, a newly discovered Android malware, leverages OCR technology to extract cryptocurrency recovery phrases...

Free Webinar

Protect Websites & APIs from Malware Attack

Malware targeting customer-facing websites and API applications poses significant risks, including compliance violations, defacements, and even blacklisting.

Join us for an insightful webinar featuring Vivek Gopalan, VP of Products at Indusface, as he shares effective strategies for safeguarding websites and APIs against malware.

Discussion points

Scan DOM, internal links, and JavaScript libraries for hidden malware.
Detect website defacements in real time.
Protect your brand by monitoring for potential blacklisting.
Prevent malware from infiltrating your server and cloud infrastructure.

More like this

Researchers Detailed Credential Abuse Cycle

Cybercriminals exploit leaked credentials, obtained through various means, to compromise systems and data, enabling...

New Android Malware SpyAgent Taking Screenshots Of User’s Devices

SpyAgent, a newly discovered Android malware, leverages OCR technology to extract cryptocurrency recovery phrases...

Tor Network Suffers IP Spoofing Attack Via Non-Exit Relays

In late October 2024, a coordinated IP spoofing attack targeted the Tor network, prompting...