Doyle Aufderhar

Doyle Aufderhar

1651874400

InQL Scanner: A Burp Extension for GraphQL Security Testing

InQL Scanner

A security testing tool to facilitate GraphQL technology security auditing efforts.

InQL can be used as a stand-alone script or as a Burp Suite extension.

InQL Stand-Alone CLI

Running inql from Python will issue an Introspection query to the target GraphQL endpoint in order fetch metadata information for:

  • Queries, mutations, subscriptions
  • Its fields and arguments
  • Objects and custom object types
  • Cycles inside the graphql definition

InQL can inspect the introspection query results and generate clean documentation in different formats such as HTML and JSON schema. InQL is also able to generate templates (with optional placeholders) for all known basic data types.

For all supported options, check the command line help:

usage: inql [-h] [-t TARGET] [-f SCHEMA_JSON_FILE] [-k KEY] [-p PROXY]
            [--header HEADERS HEADERS] [-d] [--no-generate-html]
            [--no-generate-schema] [--no-generate-queries] [--generate-cycles]
            [--cycles-timeout CYCLES_TIMEOUT] [--cycles-streaming]
            [--generate-tsv] [--insecure] [-o OUTPUT_DIRECTORY]

InQL Scanner

optional arguments:
  -h, --help            show this help message and exit
  -t TARGET             Remote GraphQL Endpoint (https://<Target_IP>/graphql)
  -f SCHEMA_JSON_FILE   Schema file in JSON format
  -k KEY                API Authentication Key
  -p PROXY              IP of a web proxy to go through
                        (http://127.0.0.1:8080)
  --header HEADERS HEADERS
  -d                    Replace known GraphQL arguments types with placeholder
                        values (useful for Burp Suite)
  --no-generate-html    Generate HTML Documentation
  --no-generate-schema  Generate JSON Schema Documentation
  --no-generate-queries
                        Generate Queries
  --generate-cycles     Generate Cycles Report
  --cycles-timeout CYCLES_TIMEOUT
                        Cycles Report Timeout (in seconds)
  --cycles-streaming    Some graph are too complex to generate cycles in
                        reasonable time, stream to stdout
  --generate-tsv        Generate TSV representation of query templates. It may
                        be useful to quickly search for vulnerable I/O.
  --insecure            Accept any SSL/TLS certificate
  -o OUTPUT_DIRECTORY   Output Directory

InQL Burp Suite Extension

Since version 1.0.0 of the tool, InQL was extended to operate within Burp Suite. In this mode, the tool will retain all the stand-alone script capabilities and add a handy user interface for manipulating queries.

Using the inql extension for Burp Suite, you can:

  • Search for known GraphQL URL paths; the tool will grep and match known values to detect GraphQL endpoints within the target website
  • Search for exposed GraphQL development consoles (GraphiQL, GraphQL Playground, and other standard consoles)
  • Use a custom GraphQL tab displayed on each HTTP request/response containing GraphQL
  • Leverage the templates generation by sending those requests to Burp's Repeater tool ("Send to Repeater")
  • Leverage the templates generation and editor support by sending those requests to embedded GraphIQL ("Send to GraphiQL")
  • Configure the tool by using a custom settings tab

InQL BURP Preview

To use inql in Burp Suite, import the Python extension:

  • Download the Jython Jar
  • Start Burp Suite
  • Extender Tab > Options > Python Enviroment > Set the location of Jython standalone JAR
  • Extender Tab > Extension > Add > Extension Type > Select Python
  • Download the latest inql_burp.py release here
  • Extension File > Set the location of inql_burp.py > Next
  • The output should now show the following message: InQL Scanner Started!

Burp Extension Usage

Getting started with the inql Burp extension is easy:

  1. Load a GraphQL endpoint or a JSON schema file location inside the top input field
  2. Press the "Load" button
  3. After a few seconds, the left panel will refresh, loading the directory structure for the selected endpoint as in the following example:
  • url
  •  
    • query
  •  
    •  
      • timestamp 1
  •  
    •  
      •  
        • query1.query
  •  
    •  
      •  
        • query2.query
  •  
    •  
      • timestamp 2
  •  
    •  
      •  
        • query1.query
  •  
    •  
      •  
        • query2.query
  •  
    • mutation
  •  
    • subscription
  1. Selecting any query/mutation/subscription will load the corresponding template in the main text area

InQL Stand-Alone UI

Since version 2.0.0, InQL UI is able to operate without requiring BURP. It is now possible to install InQL stand-alone for jython and run the Scanner UI.

In this mode, InQL maintains most of the Burp Scanner capabilities except for advanced interactions such as "Send To Repeater" and automatic authorization header generation, available through BURP.

To use inql stand-alone UI:

  • Download and Install Jython. Jython can be obtained on macOS through brew brew install jython or on Ubuntu derivates through apt-get install -y jython
  • Download inql git clone https://github.com/doyensec/inql
  • Change directory to inql with cd inql
  • Start the UI through jython with jython -m inql

NDR: At the current stage Jython does not support HTTP/2. Any request to an HTTP/2 server will fail silently. We advise to use the Burp to bypass this limitation temporarily.

Burp GraphQL Query Timer

Since version 3.0.0, InQL has an integrated Query Timer. This Query Timer is a reimagination of Request Timer, which can filter for query name and body.

The Query Timer is enabled by default and especially useful in conjunction with the Cycles detector. A tester can switch between graphql-editor modes (Repeater and GraphIQL) to identify DoS queries. Query Timer demonstrates the ability to attack such vulnerable graphql endpoints by counting the execution time of each and every query.

Timer

InQL Documentation Generator

In either BURP or Stand-Alone mode, InQL can generate meaningful documentation for available GraphQL entities. Results are available as HTML pages or query templates.

The resulting HTML documentation page will contain details for all available Queries, Mutations, and Subscriptions as shown here:

Preview

The following screenshot shows the use of templates generation:

Preview

InQL Precise Queries

Based on InQL's introspection intermediate representation (IIR), the tool is able to generate arbitrarily nested queries with support to any scalar type, enumerations, arrays, and objects.

query {
  Character(id_not_in:[1334], sort:[ROLE_DESC], search:"code", id_not:1334, id:1334, id_in:[1334]) {
    image {
      large
    }
    siteUrl
    favourites
    modNotes
    description(asHtml:true)
    media(sort:[TITLE_ROMAJI], type:ANIME, perPage:1334, page:1334) {
      edges {
        isMainStudio
      }
    }
    name {
      last
    }
    id
    isFavourite
    updatedAt
  }
}

While this enables seamless "Send to Repeater" functionality from the Scanner to the other tool components (Repeater and GraphiQL console), it is still not possible for the tool to infer placeholders for GraphQL Custom Scalars.

InQL Cycles Detector

The new introspection intermediate representation (IIR) allows to inspect for cycles in defined graphql schemas by requiring access to graphql introspection-enabled endpoint only.

This functionality is especially useful and automates bothersome testing practices employing graph solving algorithm. In our test, the tool was able to find millions of cycles in a matter of minutes.

Author: doyensec
Source Code: https://github.com/doyensec/inql
License: Apache-2.0 License
#graphql 

What is GEEK

Buddha Community

InQL Scanner: A Burp Extension for GraphQL Security Testing
Marcelle Smith

Marcelle Smith

1597025755

Automate GraphQL Backed Applications' Security Testing

Working with the latest tech is fun. It’s fresh and exciting. As developers we feel invigorated by being on the bleeding edge. Consider us thrillseekers.

Thrills, however, shouldn’t come from 2am alerts resulting in the binge triaging of production security bugs found in that latest tech stack. Perhapsit’s the reason you’re here. Perhaps you believe, like we do, that bugsare best squashed before deploying to prod.

StackHawk was built to help developers ship secure applications. Existingsecurity testing tools do not work well with modern developmentparadigms. We’ve built functionality to ensure that modern developerscan run security tests simply, including CI integrations, scanning REST API backed applications, and more.As we work to cover the modern application stack, we were well aware of the black hole for GraphQL security testing.We just released GraphQLscanning support to ensure that you can ship secure GraphQL APIs.

But before we jump into the specifics of the solution and follow up with a demo, let’s do a quick overview of the GraphQL specification. This is a unique space with an interesting set of challenges.

If you’re already well versed in GraphQL and the potential challenges posed by its current state of scan-ability, please feel free to skip ahead to How it Works for a demo and walkthrough.

If you enjoy a little flavor and some additional back story then I welcome you to join me on a brief detour.

Do you even Graph(QL)?

Now unless your tech stack has been in a quarantine with the rest of us, you’ve probably seen GraphQL implementations in the wild. If your business is inline with, or already one of the 3,026 star adopters reported in the GraphQL Landscape, then you’re probably already building and deploying a GraphQL API in production today.

Again, being at the forefront of change is always an exciting adventure, but have you taken time to ask yourself…

How secure is my GraphQL API?

If we take a look at some of the numbers, such as the GraphQL statistics report for Drupal customers or this survey on the most exciting API technologies, we get a sense of how this new specification continues gaining traction.

A rising popularity of any new technology typically results in a rise in broken implementations. Considering most of these apps are likely to lack proper testing we suddenly have some serious concerns.

While our craft remains the same despite new paradigms, the way in which we express ourselves through our systems will naturally have to be adjusted. This change presents a potential breeding ground for unchecked vulnerabilities on new and existing web apps.

At StackHawk, we believe it is important to simplify and automate security testing for your applications.

So… it’s like, graphs and stuff, right?

Indeed. The specification on the surface defines an outline for representing and interfacing with your data… as a graph and stuff.

At its core GraphQL works on the principle that data is interconnected and can be effectively represented as vertices on a graph. Most of us will be aware that this means two or more pairs of connected vertices, having one or more edges which may or may not come together to form forests,trees and leaves in a directed, acyclical or cyclical fashion, etc, ad infinitum… recursively, and on and on.

This is all just to say that the designers of GraphQL have brilliantly outlined the capacity for engineers to represent data in pretty much any complex structure desired (or maybe not desired). Anything goes as long as the implementation is within the confines of the specification and meets a few key criteria.

It’s the Wild West of the web! In fact, if you live in a quiet part of the city on dark summer evenings and draw the blinds, turn down the lights, and listen very carefully, you may just catch the sound of the faint grumblings emitted by backend engineers all over as they beg for mercy from the agony of rearchitecting their RESTful service into the promised land The Graph.

Now, this is dangerously close to falling into some wretched and poorly written essay about graph theory and the GraphQL API, but that would never be nearly as informative as what’s already available at GraphQL so let’s fast forward to what this all means for the security bottom-line.

#graphql #cyber-security #web-security #software-engineering #devops-security #graphql-api #api-security

Domingo Jakubowski

Domingo Jakubowski

1597564800

Top Security Penetration Testing Companies

Cybercrime is one of the world’s fastest-growing threats, with malicious actors constantly elaborating their methods of undetectable intrusion. According to Verizon’s Business 2020 Data Breach Investigations report, there has been a 100% increase in web app breaches, and stolen credentials were used in more than 80% of these cases. These statistics are worrying for many businesses that actively move their processes to the cloud and deal heavily with customers’ personal data.

Under these circumstances, companies need to run regular automated and manual tests to determine weak spots in their infrastructure, software, network and physical perimeter security. One of the most efficient testing methods is security penetration testing, or pentesting.

Pentesting is a benign hacking attempt, manual or automated, to break into the system and uncover its vulnerabilities before actual cyber criminals do it. This method is directed at testing the system security controls for their real-world effectiveness. It involves such stages as data collection, threat modeling, vulnerability scans, penetration tests, and so on.

To get proactive with their cyber security protection, many businesses cooperate with professional security testing companies that are able to comprehensively check the system, identify risks, fix vulnerabilities, and stay one step ahead of potential hackers.

The ranking criteria for security testing companies

When asking a professional software testing company to check your system’s security, in most cases you need to grant them access to sensitive information. For this reason, it’s important to choose a reliable company with an exceptional reputation, which will become your trusted partner.

Unsurprisingly, the market of security penetration testing companies is overwhelmingly crowded. To narrow down your search, we have analyzed hundreds of testing companies and compiled the list of top testing professionals. We have applied the following criteria:

  • Pentesting expertise
  • Portfolio
  • Software QA experience
  • Market penetration
  • Online reviews

As a result, we’ve picked 30 skilled security testing companies and rated them accordingly.

1. a1qa

a1qa is a software testing company from Lakewood, CO, that has delivered over 1,500 successful projects and established 10 Centers of Excellence during their 17 years of operation. It has partnered with more than 500 companies, from smaller businesses to Fortune 500 giants. The company’s prominent customers include adidas, Kaspersky Lab, SAP, Yandex, Forex Club, and more.

a1qa specializes in delivering full-cycle QA and testing services, including comprehensive security penetration testing. Its expertise covers testing of web apps such as portals, ecommerce, media and e-learning platforms, games and online casinos, and line-of-business testing, such as CRM, collaboration, document management, and financial systems. The company also runs a specialized security testing lab.

2. QA Mentor

Founded in New York in 2010, QA Mentor has managed to establish a strong global presence with 12 testing centers around the world. Its team consists of 300 certified QA professionals that have successfully completed over 870 projects, including the ones for Amazon, eBay, Bosch, HTC, and more. The company offers more than 30 testing services, with cyber security penetration testing among them.

QA Mentor is recognized as a top software testing company by Clutch, GoodFirms, and Gartner.

3. UnderDefense

UnderDefense is a certified computer and network security company that was established in New York in 2016. It provides a wide range of testing services, with a special focus on security penetration testing. The company’s certified security testing team has performed hundreds of penetration tests, including compliance-specific tests, app and wireless network penetration testing, and social engineering security testing. UnderDefense has been repeatedly awarded by Clutch.

#testing #software-testing #security-testing #penetration-testing #top-software-testing-companies #software-testing-companies #good-company #code-quality

Wilford Pagac

Wilford Pagac

1596789120

Best Custom Web & Mobile App Development Company

Everything around us has become smart, like smart infrastructures, smart cities, autonomous vehicles, to name a few. The innovation of smart devices makes it possible to achieve these heights in science and technology. But, data is vulnerable, there is a risk of attack by cybercriminals. To get started, let’s know about IoT devices.

What are IoT devices?

The Internet Of Things(IoT) is a system that interrelates computer devices like sensors, software, and actuators, digital machines, etc. They are linked together with particular objects that work through the internet and transfer data over devices without humans interference.

Famous examples are Amazon Alexa, Apple SIRI, Interconnected baby monitors, video doorbells, and smart thermostats.

How could your IoT devices be vulnerable?

When technologies grow and evolve, risks are also on the high stakes. Ransomware attacks are on the continuous increase; securing data has become the top priority.

When you think your smart home won’t fudge a thing against cybercriminals, you should also know that they are vulnerable. When cybercriminals access our smart voice speakers like Amazon Alexa or Apple Siri, it becomes easy for them to steal your data.

Cybersecurity report 2020 says popular hacking forums expose 770 million email addresses and 21 million unique passwords, 620 million accounts have been compromised from 16 hacked websites.

The attacks are likely to increase every year. To help you secure your data of IoT devices, here are some best tips you can implement.

Tips to secure your IoT devices

1. Change Default Router Name

Your router has the default name of make and model. When we stick with the manufacturer name, attackers can quickly identify our make and model. So give the router name different from your addresses, without giving away personal information.

2. Know your connected network and connected devices

If your devices are connected to the internet, these connections are vulnerable to cyber attacks when your devices don’t have the proper security. Almost every web interface is equipped with multiple devices, so it’s hard to track the device. But, it’s crucial to stay aware of them.

3. Change default usernames and passwords

When we use the default usernames and passwords, it is attackable. Because the cybercriminals possibly know the default passwords come with IoT devices. So use strong passwords to access our IoT devices.

4. Manage strong, Unique passwords for your IoT devices and accounts

Use strong or unique passwords that are easily assumed, such as ‘123456’ or ‘password1234’ to protect your accounts. Give strong and complex passwords formed by combinations of alphabets, numeric, and not easily bypassed symbols.

Also, change passwords for multiple accounts and change them regularly to avoid attacks. We can also set several attempts to wrong passwords to set locking the account to safeguard from the hackers.

5. Do not use Public WI-FI Networks

Are you try to keep an eye on your IoT devices through your mobile devices in different locations. I recommend you not to use the public WI-FI network to access them. Because they are easily accessible through for everyone, you are still in a hurry to access, use VPN that gives them protection against cyber-attacks, giving them privacy and security features, for example, using Express VPN.

6. Establish firewalls to discover the vulnerabilities

There are software and firewalls like intrusion detection system/intrusion prevention system in the market. This will be useful to screen and analyze the wire traffic of a network. You can identify the security weakness by the firewall scanners within the network structure. Use these firewalls to get rid of unwanted security issues and vulnerabilities.

7. Reconfigure your device settings

Every smart device comes with the insecure default settings, and sometimes we are not able to change these default settings configurations. These conditions need to be assessed and need to reconfigure the default settings.

8. Authenticate the IoT applications

Nowadays, every smart app offers authentication to secure the accounts. There are many types of authentication methods like single-factor authentication, two-step authentication, and multi-factor authentication. Use any one of these to send a one time password (OTP) to verify the user who logs in the smart device to keep our accounts from falling into the wrong hands.

9. Update the device software up to date

Every smart device manufacturer releases updates to fix bugs in their software. These security patches help us to improve our protection of the device. Also, update the software on the smartphone, which we are used to monitoring the IoT devices to avoid vulnerabilities.

10. Track the smartphones and keep them safe

When we connect the smart home to the smartphone and control them via smartphone, you need to keep them safe. If you miss the phone almost, every personal information is at risk to the cybercriminals. But sometimes it happens by accident, makes sure that you can clear all the data remotely.

However, securing smart devices is essential in the world of data. There are still cybercriminals bypassing the securities. So make sure to do the safety measures to avoid our accounts falling out into the wrong hands. I hope these steps will help you all to secure your IoT devices.

If you have any, feel free to share them in the comments! I’d love to know them.

Are you looking for more? Subscribe to weekly newsletters that can help your stay updated IoT application developments.

#iot #enterprise iot security #how iot can be used to enhance security #how to improve iot security #how to protect iot devices from hackers #how to secure iot devices #iot security #iot security devices #iot security offerings #iot security technologies iot security plus #iot vulnerable devices #risk based iot security program

Security IT

Security IT

1606927174

10 Cyber Security Tools to Watch Out for in 2021 - DZone Security

With an immense number of companies and entities climbing onto the digital bandwagon, cybersecurity considerations have come up as limelight. Besides, new technologies such as Big Data, IoT, and Artificial Intelligence/Machine Learning are gradually more making inroads into our everyday lives, the threats related to cybercrime are mounting as well. Additionally, the usage of mobile and web apps in transacting financial information has put the complete digital stuff exposed to cybersecurity breaches. The inherent risks and vulnerabilities found in such apps can be exploited by attackers or cybercriminals to draw off crucial information data counting money. Internationally, cyber-security breaches have caused a yearly loss of USD 20.38 million in 2019 (Source: Statista). Plus, cybercrime has led to a 0.80 percent loss of the entire world’s Gross domestic product, which sums up to approx. USD 2.1 trillion in the year 2019 alone (Source: Cybriant.com).

In this article, take a look at ten cyber security tools to watch out for in 2021, including NMap, Wireshark, Metasploit, and more!

#security #cyber security #security testing #security testing tools #cyber security tools

Tamia Walter

Tamia Walter

1596754901

Testing Microservices Applications

The shift towards microservices and modular applications makes testing more important and more challenging at the same time. You have to make sure that the microservices running in containers perform well and as intended, but you can no longer rely on conventional testing strategies to get the job done.

This is where new testing approaches are needed. Testing your microservices applications require the right approach, a suitable set of tools, and immense attention to details. This article will guide you through the process of testing your microservices and talk about the challenges you will have to overcome along the way. Let’s get started, shall we?

A Brave New World

Traditionally, testing a monolith application meant configuring a test environment and setting up all of the application components in a way that matched the production environment. It took time to set up the testing environment, and there were a lot of complexities around the process.

Testing also requires the application to run in full. It is not possible to test monolith apps on a per-component basis, mainly because there is usually a base code that ties everything together, and the app is designed to run as a complete app to work properly.

Microservices running in containers offer one particular advantage: universal compatibility. You don’t have to match the testing environment with the deployment architecture exactly, and you can get away with testing individual components rather than the full app in some situations.

Of course, you will have to embrace the new cloud-native approach across the pipeline. Rather than creating critical dependencies between microservices, you need to treat each one as a semi-independent module.

The only monolith or centralized portion of the application is the database, but this too is an easy challenge to overcome. As long as you have a persistent database running on your test environment, you can perform tests at any time.

Keep in mind that there are additional things to focus on when testing microservices.

  • Microservices rely on network communications to talk to each other, so network reliability and requirements must be part of the testing.
  • Automation and infrastructure elements are now added as codes, and you have to make sure that they also run properly when microservices are pushed through the pipeline
  • While containerization is universal, you still have to pay attention to specific dependencies and create a testing strategy that allows for those dependencies to be included

Test containers are the method of choice for many developers. Unlike monolith apps, which lets you use stubs and mocks for testing, microservices need to be tested in test containers. Many CI/CD pipelines actually integrate production microservices as part of the testing process.

Contract Testing as an Approach

As mentioned before, there are many ways to test microservices effectively, but the one approach that developers now use reliably is contract testing. Loosely coupled microservices can be tested in an effective and efficient way using contract testing, mainly because this testing approach focuses on contracts; in other words, it focuses on how components or microservices communicate with each other.

Syntax and semantics construct how components communicate with each other. By defining syntax and semantics in a standardized way and testing microservices based on their ability to generate the right message formats and meet behavioral expectations, you can rest assured knowing that the microservices will behave as intended when deployed.

Ways to Test Microservices

It is easy to fall into the trap of making testing microservices complicated, but there are ways to avoid this problem. Testing microservices doesn’t have to be complicated at all when you have the right strategy in place.

There are several ways to test microservices too, including:

  • Unit testing: Which allows developers to test microservices in a granular way. It doesn’t limit testing to individual microservices, but rather allows developers to take a more granular approach such as testing individual features or runtimes.
  • Integration testing: Which handles the testing of microservices in an interactive way. Microservices still need to work with each other when they are deployed, and integration testing is a key process in making sure that they do.
  • End-to-end testing: Which⁠—as the name suggests⁠—tests microservices as a complete app. This type of testing enables the testing of features, UI, communications, and other components that construct the app.

What’s important to note is the fact that these testing approaches allow for asynchronous testing. After all, asynchronous development is what makes developing microservices very appealing in the first place. By allowing for asynchronous testing, you can also make sure that components or microservices can be updated independently to one another.

#blog #microservices #testing #caylent #contract testing #end-to-end testing #hoverfly #integration testing #microservices #microservices architecture #pact #testing #unit testing #vagrant #vcr