How to avoid data breaches with GraphQL?

Sophie Boulaaouli

3 min read
How to avoid data breaches with GraphQL?

Manage your sensitive data in GraphQL applications (PII, passwords, secrets…)

We released a new feature in Escape that enables you to detect and fix data leaks with GraphQL.

🚫 The GraphQL Access Control issue, what is it?

Access control is the restriction that tells the user who or what can be accessed in your application. When a user can access a forbidden resource, there is an access control vulnerability.

Your GraphQL application has a schema that defines the relationship between objects. You must secure all the paths to avoid having an access control vulnerability.

GraphQL Voyager

The more your app has objects, the more your app has paths. Using Escape can save you time by scanning all those paths automatically and give you monitoring of your sensitive data.

🛡️ What does Escape do?

Escape will run a legitimate traffic simulation into your app and rebuild a GraphQL schema to explore all paths which land on an object. Our CLI can find tokens, PII, Stripe Tokens, RSA Keys, and more.

Here are some examples of access control vulnerabilities that Escape can find: Private data: Escape will raise an alert if it successfully accesses any object without being permitted. Example: If a non-admin user has access to CreditCard objects. Tenant isolation: Escape will raise an alert if it successfully accesses any unique object of this type with two different users. Example: If two users access the same CreditCard object.

If Escape finds those sensitive data, the platform will automatically display it, and you can now start making your app more secure!

⚙️ How to manage your sensitive data?

Sensitive Data view

Here is the Sensitive Data view of a scan run with Escape's GraphQL Security Scanner, which enables you to detect and fix your data leaks.

This is an example of all the sensitive data accessible in the app. As you can see, data leaks are classified by severity. High severity data values like Stripe token, BCrypt hash, and JSON Web Token are found here. But also medium personal data like email or Dash address. You can check all the data Escape can find in the documentation.

You can also see which users have access to this data which gives you information about tenant isolation, private data, and private fields.

To see where those data were found, simply open the sensitive data card:

Data leaks locations

To have more information about how to reproduce the data finding, just open the side panel by clicking on the location. Here you will find information about requests and responses.

Data leaks - How to reproduce panel

For instance, to reproduce the request, you can copy the query:

Transaction_received query request

If those data are not sensitive, ignore them. They will be classified as reviewed, as you can see below:

Reviewed sensitive data

Want to securing your GraphQL application now? Try Escape for free 🚀