GraphQL

How to avoid data breaches with GraphQL?

Sophie Boulaaouli

3 min read
How to avoid data breaches with GraphQL?

Manage your sensitive data in GraphQL applications (PII, passwords, secrets…)

We released a new feature in Escape that enables you to detect and fix data leaks with GraphQL.

🚫 The GraphQL Access Control issue, what is it?

Access control is the restriction that tells the user who or what can be accessed in your application. When a user can access a forbidden resource, there is an access control vulnerability.

Your GraphQL application has a schema that defines the relationship between objects. You must secure all the paths to avoid having an access control vulnerability.

GraphQL Voyager

The more your app has objects, the more your app has paths. Using Escape can save you time by scanning all those paths automatically and give you monitoring of your sensitive data.

🛡️ What does Escape do?

Escape will run a legitimate traffic simulation into your app and rebuild a GraphQL schema to explore all paths that land on an object. Our CLI can find tokens, PII, Stripe Tokens, financial information and RSA Keys.

Here are some examples of access control vulnerabilities that Escape can find: Private data: Escape will raise an alert if it successfully accesses any object without being permitted. For example, if a non-admin user has access to CreditCard objects.

Tenant isolation: Escape will raise an alert if it successfully accesses any unique object of this type with two different users. For example, if two users access the same CreditCard object.

If Escape finds those sensitive data, the platform will automatically display it, and you can now start making your app more secure!

⚙️ How to manage your sensitive data?

Here is the Sensitive Data view of a scan run with Escape's GraphQL Security Scanner, which enables you to detect and fix your data leaks.

Sensitive Data view

This is an example of all the sensitive data accessible in the app. As you can see, data leaks are classified by severity. High-severity data values like Stripe token, BCrypt hash, and JSON Web Token are found here. But also medium personal data like email or Dash address. You can check all the data Escape can find in the documentation.

You can also see which users have access to this data, which gives you information about tenant isolation, private data, and private fields.

To see where this data was found, open the sensitive data card:

Data leaks locations

To have more information about how to reproduce the data finding, open the side panel by clicking on the location. Here, you will find information about requests and responses.

Data leaks - How to reproduce panel

For instance, to reproduce the request, you can copy the query:

Transaction_received query request

If this data is not sensitive, ignore them. It will be classified as reviewed, as you can see below:

Reviewed sensitive data

Want to secure your GraphQL application now? Try Escape for free 🚀

Additional resources for GraphQL security

💡
Do you prefer hands-on learning about GraphQL Security? Start your lessons with our API Security Academy focused on GraphQL and learn how to build safe GraphQL APIs.