GraphQLer: Enhancing GraphQL Security with Context-Aware API Testing
- URL: http://arxiv.org/abs/2504.13358v1
- Date: Thu, 17 Apr 2025 21:58:15 GMT
- Title: GraphQLer: Enhancing GraphQL Security with Context-Aware API Testing
- Authors: Omar Tsai, Jianing Li, Tsz Tung Cheung, Lejing Huang, Hao Zhu, Jianrui Xiao, Iman Sharafaldin, Mohammad A. Tayebi,
- Abstract summary: API is an open-source query and manipulation language for web applications, offering a flexible alternative to APIs.<n>It exposes it to vulnerabilities such as unauthorized data access, denial-of-service (DoS) attacks, and injections.<n>Existing testing tools focus on functional correctness, overlooking security risks stemming from interdependencies and execution context.<n>This paper presentser, the first context-aware security escalation testing framework for APIs.
- Score: 12.862760373064342
- License: http://creativecommons.org/licenses/by/4.0/
- Abstract: GraphQL is an open-source data query and manipulation language for web applications, offering a flexible alternative to RESTful APIs. However, its dynamic execution model and lack of built-in security mechanisms expose it to vulnerabilities such as unauthorized data access, denial-of-service (DoS) attacks, and injections. Existing testing tools focus on functional correctness, often overlooking security risks stemming from query interdependencies and execution context. This paper presents GraphQLer, the first context-aware security testing framework for GraphQL APIs. GraphQLer constructs a dependency graph to analyze relationships among mutations, queries, and objects, capturing critical interdependencies. It chains related queries and mutations to reveal authentication and authorization flaws, access control bypasses, and resource misuse. Additionally, GraphQLer tracks internal resource usage to uncover data leakage, privilege escalation, and replay attack vectors. We assess GraphQLer on various GraphQL APIs, demonstrating improved testing coverage - averaging a 35% increase, with up to 84% in some cases - compared to top-performing baselines. Remarkably, this is achieved in less time, making GraphQLer suitable for time-sensitive contexts. GraphQLer also successfully detects a known CVE and potential vulnerabilities in large-scale production APIs. These results underline GraphQLer's utility in proactively securing GraphQL APIs through automated, context-aware vulnerability detection.
Related papers
- Unleashing the Power of LLMs in Dense Retrieval with Query Likelihood Modeling [69.84963245729826]
Large language models (LLMs) have shown compelling semantic understanding capabilities.<n>Dense retrieval is a crucial task in Information Retrieval (IR) and is the foundation for downstream tasks as re-ranking.<n>We introduce an auxiliary task of QL estimation to yield a better backbone for contrast learning a discriminative retriever.
arXiv Detail & Related papers (2025-04-07T16:03:59Z) - Taint Analysis for Graph APIs Focusing on Broken Access Control [42.28549294272344]
We present a first systematic approach to static and dynamic taint analysis for Graph APIs focusing on broken access control.<n>We taint nodes in the Graph API if they represent data requiring specific privileges in order to be retrieved or manipulated.<n>We then analyze whether tainted information flow between API source and sink calls occurs.
arXiv Detail & Related papers (2025-01-15T16:49:32Z) - NAT-NL2GQL: A Novel Multi-Agent Framework for Translating Natural Language to Graph Query Language [13.661054027428868]
We propose NAT-NL2GQL, a novel framework for translating natural language to graph query language.
Our framework consists of three synergistic agents: the Preprocessor agent, the Generator agent, and the Refiner agent.
Given the scarcity of high-quality open-source NL2GQL datasets based on nGQL syntax, we developed StockGQL, a dataset constructed from a financial market graph database.
arXiv Detail & Related papers (2024-12-11T04:14:09Z) - Can Large Language Models Analyze Graphs like Professionals? A Benchmark, Datasets and Models [88.4320775961431]
We introduce ProGraph, a benchmark for large language models (LLMs) to process graphs.<n>Our findings reveal that the performance of current LLMs is unsatisfactory, with the best model achieving only 36% accuracy.<n>We propose LLM4Graph datasets, which include crawled documents and auto-generated codes based on 6 widely used graph libraries.
arXiv Detail & Related papers (2024-09-29T11:38:45Z) - GraphQL Adoption and Challenges: Community-Driven Insights from StackOverflow Discussions [1.3999481573773076]
API is a query language and web application programming interface (API) for client-server architecture.
Our results indicate that Client and Server are the top two architectural layers attracting discussion on SO.
arXiv Detail & Related papers (2024-08-15T18:08:13Z) - G-Retriever: Retrieval-Augmented Generation for Textual Graph Understanding and Question Answering [61.93058781222079]
We develop a flexible question-answering framework targeting real-world textual graphs.
We introduce the first retrieval-augmented generation (RAG) approach for general textual graphs.
G-Retriever performs RAG over a graph by formulating this task as a Prize-Collecting Steiner Tree optimization problem.
arXiv Detail & Related papers (2024-02-12T13:13:04Z) - TorchQL: A Programming Framework for Integrity Constraints in Machine Learning [20.960438848942445]
We present TorchQL, a programming framework to evaluate and improve the correctness of machine learning applications.
TorchQL allows users to write queries to specify and check integrity constraints over machine learning models and datasets.
We evaluate TorchQL on diverse use-cases including finding critical temporal inconsistencies in objects detected across video frames in autonomous driving.
arXiv Detail & Related papers (2023-08-13T05:22:49Z) - Neural Graph Reasoning: Complex Logical Query Answering Meets Graph
Databases [63.96793270418793]
Complex logical query answering (CLQA) is a recently emerged task of graph machine learning.
We introduce the concept of Neural Graph Database (NGDBs)
NGDB consists of a Neural Graph Storage and a Neural Graph Engine.
arXiv Detail & Related papers (2023-03-26T04:03:37Z) - Graph Enhanced BERT for Query Understanding [55.90334539898102]
query understanding plays a key role in exploring users' search intents and facilitating users to locate their most desired information.
In recent years, pre-trained language models (PLMs) have advanced various natural language processing tasks.
We propose a novel graph-enhanced pre-training framework, GE-BERT, which can leverage both query content and the query graph.
arXiv Detail & Related papers (2022-04-03T16:50:30Z) - Learning GraphQL Query Costs (Extended Version) [7.899264246319001]
We propose a machine-learning approach to efficiently and accurately estimate the query cost.
Our framework is efficient and predicts query costs with high accuracy, consistently outperforming the static analysis by a large margin.
arXiv Detail & Related papers (2021-08-25T09:18:31Z)
This list is automatically generated from the titles and abstracts of the papers in this site.
This site does not guarantee the quality of this site (including all information) and is not responsible for any consequences.