Security Testing for GraphQL Backed Applications

Rate this content
Bookmark

With StackHawk, engineering teams can run security tests against GraphQL backed applications to find and fix vulnerabilities before they hit production. With automated testing on every PR, you can be confident that your GraphQL API is secure. Join StackHawk co-founder Ryan Severns for a quick overview of GraphQL security with StackHawk.

This talk has been presented at GraphQL Galaxy 2020, check out the latest edition of this Tech Conference.

FAQ

StackHawk is an application security testing tool designed to help developers find and fix security bugs in their applications, including testing APIs and GraphQL endpoints.

StackHawk specializes in dynamic application security testing, which involves running active tests against a running version of an application to identify vulnerabilities in server-side HTML, REST APIs, single-page applications, and GraphQL.

The testing process at StackHawk starts with a YAML configuration file where developers describe what components to scan, set up authentication, and customize the scanner settings. Scans are initiated using the 'Docker run Hawk scan' command.

StackHawk is the only product that offers active automated testing of GraphQL endpoints. It actively runs tests against GraphQL endpoints to search for potential security vulnerabilities, unlike other tools that may only check for best practices.

StackHawk believes in automation within CI/CD processes, allowing security tests to run every time a pull request is opened. This ensures that no new vulnerabilities are introduced before the build passes and progresses to production.

StackHawk integrates with developer tools such as Slack for alerting and Jira for managing issues, facilitating seamless communication and issue resolution within development teams.

Developers can sign up for a free single user account to test their own applications or opt for a free trial of the team product, which supports multiple users and collaboration, at stackhawk.com.

Ryan Severns
Ryan Severns
7 min
02 Jul, 2021

Comments

Sign in or register to post your comment.
Video Summary and Transcription
StackHawk is an application security testing tool that emphasizes automated testing of GraphQL endpoints. It integrates seamlessly into the CI/CD pipeline, ensuring every pull request is tested for vulnerabilities before going into production. The process starts with a YAML configuration file where developers describe what to scan, including server-side HTML, REST APIs, single-page applications, and GraphQL. StackHawk runs on Docker, enabling easy implementation locally and in CI/CD environments. It offers fast application security testing with results available in the terminal and links to the StackHawk app for bug fixing. Developers can manage vulnerabilities through integrations with tools like Slack and Jira. StackHawk provides detailed information for debugging, including request and response data and curl commands. Free single user accounts and team trials are available for developers to try StackHawk.

1. Introduction to StackHawk and GraphQL Testing

Short description:

I'm Ryan Severns, COO of StackHawk, an application security testing tool. We focus on GraphQL and offer active automated testing of GraphQL endpoints to find potential security vulnerabilities. We believe in automation in CICD and ensure that every pull request is tested for vulnerabilities before going into production. It all starts with a YAML configuration file where you describe what to scan, including server-side HTML, single page apps, REST APIs, and GraphQL.

Hi there, GraphQL Galaxy. I'm Ryan Severns, one of the founders and COO of StackHawk. I'm here to tell you a little bit about what we do at StackHawk. We are an application security testing tool. We make it easy for developers to find and fix security bugs. And in particular, we have some really cool things around GraphQL. So I'll run you through that.

So like I said, we do application and the application security testing. We do testing of the underlying APIs as well. And part of that is GraphQL. If you're not familiar with application security testing, there's really three main types. One is software composition analysis. So it's looking at the open source components, looking for vulnerabilities there. Another is static code analysis. So it's looking at the code, looking for known error types within whatever language you're using. And what we do here at StackHawk is called dynamic application security testing. So we're running active tests against your application, against a running version of your application. And we test server-side HTML, REST APIs, single-page applications, and we test GraphQL as well. We are the only product that does active automated testing of GraphQL. There's a handful that do some best practices checking, making sure you're doing certain things that are known to be best practices from a security standpoint. We are the only ones who actively run a test against your GraphQL endpoints and look for potential security vulnerabilities.

Big belief for Stackhawk is automation in CICD. We believe that every time you open a pull request, an application security test should run. Make sure that you're not introducing any new vulnerabilities before it passes the build and goes on to production. Ultimately, we make finding and fixing the security vulnerabilities very simple. Let me tell you a little bit about how it works. It all starts with a YAML configuration file. Like I said, we describe what to scan. We have server-side HTML, single page apps, REST APIs, GraphQL. You describe what to scan.

2. Configuring GraphQL Testing and Bug Fixing

Short description:

You can configure authentication and customize the scanner for GraphQL testing. Running in Docker, it can be implemented anywhere, including locally and in CICD. It provides fast AppSec testing with results in the terminal and links to the StackHawk app for bug fixing. StackHawk integrates with developer tools like Slack and Jira, making it easy to manage vulnerabilities and access fix documentation.

If you have authentication for your application, you can configure that here. We also have all kinds of other customization in terms of how the scanner runs. The beauty about GraphQL is that the configuration is really simple. You can see in the image here, you mark GraphQL enabled equals true and point it to the schema path of your introspection endpoint. You can also control certain things around which operations you're testing, the depth of recursion. There's a lot that you can customize there.

Then you kick off a scan with this Docker run Hawk scan command. This GIF will cycle through and show us a preview of it. The beauty of it running in Docker is it can run anywhere. It can run locally on your machine as you're developing. Super easy to implement in CICD. You can point it at a production application. I always say use caution because this is running an active security test and trying to find input validation errors among other things. It does try to input data into your database. Which is why we always advise test this on test this preproduction in a CICD environment.

It's super fast AppSec testing. You can see results in the terminal. Which is great for CICD logs. And it always has a link out to the two of the findings within the StackHawk app. Which I'll show you next. And that helps for where you go when you actually need to fix a bug. So, you jump into the StackHawk app. First thing I say is we are big believers in integrating with developer tools. We integrate with Slack, with Jira. Alerting in Slack, managing your issues in Jira. And really only land in StackHawk when there's a vulnerability you need to fix. And when you do end up there, we make it really easy to jump in. Figure out the context of what that bug is. We have a description of what the vulnerability is. We have links to fix documentation, so you know how to fix it.

Check out more articles and videos

We constantly think of articles and videos that might spark Git people interest / skill us up or help building a stellar career

From GraphQL Zero to GraphQL Hero with RedwoodJS
GraphQL Galaxy 2021GraphQL Galaxy 2021
32 min
From GraphQL Zero to GraphQL Hero with RedwoodJS
Top Content
Tom Pressenwurter introduces Redwood.js, a full stack app framework for building GraphQL APIs easily and maintainably. He demonstrates a Redwood.js application with a React-based front end and a Node.js API. Redwood.js offers a simplified folder structure and schema for organizing the application. It provides easy data manipulation and CRUD operations through GraphQL functions. Redwood.js allows for easy implementation of new queries and directives, including authentication and limiting access to data. It is a stable and production-ready framework that integrates well with other front-end technologies.
Local State and Server Cache: Finding a Balance
Vue.js London Live 2021Vue.js London Live 2021
24 min
Local State and Server Cache: Finding a Balance
Top Content
This Talk discusses handling local state in software development, particularly when dealing with asynchronous behavior and API requests. It explores the challenges of managing global state and the need for actions when handling server data. The Talk also highlights the issue of fetching data not in Vuex and the challenges of keeping data up-to-date in Vuex. It mentions alternative tools like Apollo Client and React Query for handling local state. The Talk concludes with a discussion on GitLab going public and the celebration that followed.
Batteries Included Reimagined - The Revival of GraphQL Yoga
GraphQL Galaxy 2021GraphQL Galaxy 2021
33 min
Batteries Included Reimagined - The Revival of GraphQL Yoga
Envelope is a powerful GraphQL plugin system that simplifies server development and allows for powerful plugin integration. It provides conformity for large corporations with multiple GraphQL servers and can be used with various frameworks. Envelope acts as the Babel of GraphQL, allowing the use of non-spec features. The Guild offers GraphQL Hive, a service similar to Apollo Studio, and encourages collaboration with other frameworks and languages.
Rock Solid React and GraphQL Apps for People in a Hurry
GraphQL Galaxy 2022GraphQL Galaxy 2022
29 min
Rock Solid React and GraphQL Apps for People in a Hurry
The Talk discusses the challenges and advancements in using GraphQL and React together. It introduces RedwoodJS, a framework that simplifies frontend-backend integration and provides features like code generation, scaffolding, and authentication. The Talk demonstrates how to set up a Redwood project, generate layouts and models, and perform CRUD operations. Redwood automates many GraphQL parts and provides an easy way for developers to get started with GraphQL. It also highlights the benefits of Redwood and suggests checking out RedwoodJS.com for more information.
Adopting GraphQL in an Enterprise
GraphQL Galaxy 2021GraphQL Galaxy 2021
32 min
Adopting GraphQL in an Enterprise
Today's Talk is about adopting GraphQL in an enterprise. It discusses the challenges of using REST APIs and the benefits of GraphQL. The Talk explores different approaches to adopting GraphQL, including coexistence with REST APIs. It emphasizes the power of GraphQL and provides tips for successful adoption. Overall, the Talk highlights the advantages of GraphQL in terms of efficiency, collaboration, and control over APIs.
Step aside resolvers: a new approach to GraphQL execution
GraphQL Galaxy 2022GraphQL Galaxy 2022
16 min
Step aside resolvers: a new approach to GraphQL execution
GraphQL has made a huge impact in the way we build client applications, websites, and mobile apps. Despite the dominance of resolvers, the GraphQL specification does not mandate their use. Introducing Graphast, a new project that compiles GraphQL operations into execution and output plans, providing advanced optimizations. In GraphFast, instead of resolvers, we have plan resolvers that deal with future data. Graphfast plan resolvers are short and efficient, supporting all features of modern GraphQL.

Workshops on related topic

Hands-On Workshop: Introduction to Pentesting for Web Apps / Web APIs
JSNation US 2024JSNation US 2024
148 min
Hands-On Workshop: Introduction to Pentesting for Web Apps / Web APIs
Featured Workshop
Gregor Biswanger
Gregor Biswanger
In this hands-on workshop, you will be equipped with the tools to effectively test the security of web applications. This course is designed for beginners as well as those already familiar with web application security testing who wish to expand their knowledge. In a world where websites play an increasingly central role, ensuring the security of these technologies is crucial. Understanding the attacker's perspective and knowing the appropriate defense mechanisms have become essential skills for IT professionals.This workshop, led by the renowned trainer Gregor Biswanger, will guide you through the use of industry-standard pentesting tools such as Burp Suite, OWASP ZAP, and the professional pentesting framework Metasploit. You will learn how to identify and exploit common vulnerabilities in web applications. Through practical exercises and challenges, you will be able to put your theoretical knowledge into practice and expand it. In this course, you will acquire the fundamental skills necessary to protect your websites from attacks and enhance the security of your systems.
Build a Headless WordPress App with Next.js and WPGraphQL
React Summit 2022React Summit 2022
173 min
Build a Headless WordPress App with Next.js and WPGraphQL
Top Content
WorkshopFree
Kellen Mace
Kellen Mace
In this workshop, you’ll learn how to build a Next.js app that uses Apollo Client to fetch data from a headless WordPress backend and use it to render the pages of your app. You’ll learn when you should consider a headless WordPress architecture, how to turn a WordPress backend into a GraphQL server, how to compose queries using the GraphiQL IDE, how to colocate GraphQL fragments with your components, and more.
API Testing with Postman Workshop
TestJS Summit 2023TestJS Summit 2023
48 min
API Testing with Postman Workshop
Top Content
WorkshopFree
Pooja Mistry
Pooja Mistry
In the ever-evolving landscape of software development, ensuring the reliability and functionality of APIs has become paramount. "API Testing with Postman" is a comprehensive workshop designed to equip participants with the knowledge and skills needed to excel in API testing using Postman, a powerful tool widely adopted by professionals in the field. This workshop delves into the fundamentals of API testing, progresses to advanced testing techniques, and explores automation, performance testing, and multi-protocol support, providing attendees with a holistic understanding of API testing with Postman.
1. Welcome to Postman- Explaining the Postman User Interface (UI)2. Workspace and Collections Collaboration- Understanding Workspaces and their role in collaboration- Exploring the concept of Collections for organizing and executing API requests3. Introduction to API Testing- Covering the basics of API testing and its significance4. Variable Management- Managing environment, global, and collection variables- Utilizing scripting snippets for dynamic data5. Building Testing Workflows- Creating effective testing workflows for comprehensive testing- Utilizing the Collection Runner for test execution- Introduction to Postbot for automated testing6. Advanced Testing- Contract Testing for ensuring API contracts- Using Mock Servers for effective testing- Maximizing productivity with Collection/Workspace templates- Integration Testing and Regression Testing strategies7. Automation with Postman- Leveraging the Postman CLI for automation- Scheduled Runs for regular testing- Integrating Postman into CI/CD pipelines8. Performance Testing- Demonstrating performance testing capabilities (showing the desktop client)- Synchronizing tests with VS Code for streamlined development9. Exploring Advanced Features - Working with Multiple Protocols: GraphQL, gRPC, and more
Join us for this workshop to unlock the full potential of Postman for API testing, streamline your testing processes, and enhance the quality and reliability of your software. Whether you're a beginner or an experienced tester, this workshop will equip you with the skills needed to excel in API testing with Postman.
Build with SvelteKit and GraphQL
GraphQL Galaxy 2021GraphQL Galaxy 2021
140 min
Build with SvelteKit and GraphQL
Top Content
WorkshopFree
Scott Spence
Scott Spence
Have you ever thought about building something that doesn't require a lot of boilerplate with a tiny bundle size? In this workshop, Scott Spence will go from hello world to covering routing and using endpoints in SvelteKit. You'll set up a backend GraphQL API then use GraphQL queries with SvelteKit to display the GraphQL API data. You'll build a fast secure project that uses SvelteKit's features, then deploy it as a fully static site. This course is for the Svelte curious who haven't had extensive experience with SvelteKit and want a deeper understanding of how to use it in practical applications.

Table of contents:
- Kick-off and Svelte introduction
- Initialise frontend project
- Tour of the SvelteKit skeleton project
- Configure backend project
- Query Data with GraphQL
- Fetching data to the frontend with GraphQL
- Styling
- Svelte directives
- Routing in SvelteKit
- Endpoints in SvelteKit
- Deploying to Netlify
- Navigation
- Mutations in GraphCMS
- Sending GraphQL Mutations via SvelteKit
- Q&A
Relational Database Modeling for GraphQL
GraphQL Galaxy 2020GraphQL Galaxy 2020
106 min
Relational Database Modeling for GraphQL
Top Content
Workshop
Adron Hall
Adron Hall
In this workshop we'll dig deeper into data modeling. We'll start with a discussion about various database types and how they map to GraphQL. Once that groundwork is laid out, the focus will shift to specific types of databases and how to build data models that work best for GraphQL within various scenarios.
Table of contentsPart 1 - Hour 1      a. Relational Database Data Modeling      b. Comparing Relational and NoSQL Databases      c. GraphQL with the Database in mindPart 2 - Hour 2      a. Designing Relational Data Models      b. Relationship, Building MultijoinsTables      c. GraphQL & Relational Data Modeling Query Complexities
Prerequisites      a. Data modeling tool. The trainer will be using dbdiagram      b. Postgres, albeit no need to install this locally, as I'll be using a Postgres Dicker image, from Docker Hub for all examples      c. Hasura
Build and Deploy a Backend With Fastify & Platformatic
JSNation 2023JSNation 2023
104 min
Build and Deploy a Backend With Fastify & Platformatic
WorkshopFree
Matteo Collina
Matteo Collina
Platformatic allows you to rapidly develop GraphQL and REST APIs with minimal effort. The best part is that it also allows you to unleash the full potential of Node.js and Fastify whenever you need to. You can fully customise a Platformatic application by writing your own additional features and plugins. In the workshop, we’ll cover both our Open Source modules and our Cloud offering:- Platformatic OSS (open-source software) — Tools and libraries for rapidly building robust applications with Node.js (https://oss.platformatic.dev/).- Platformatic Cloud (currently in beta) — Our hosting platform that includes features such as preview apps, built-in metrics and integration with your Git flow (https://platformatic.dev/). 
In this workshop you'll learn how to develop APIs with Fastify and deploy them to the Platformatic Cloud.