Lightweight Yet Mighty: Why Qevlar’s Approach Is Reshaping GraphQL Security

Co-Authors:
Joshua Mcdaniel, Conorbell, Johnhyungilnoh

In the dynamic world of web development, GraphQL has emerged as a game-changer for data-fetching. GraphQL’s ability to allow clients to define their data requirements revolutionizes how APIs are queried. But unlike REST, where endpoints return fixed data structures, GraphQL returns only the data a client asks for — no more, no less.

This flexibility, however, introduces significant security challenges. The open nature of GraphQL can inadvertently expose APIs to vulnerabilities such as over-fetching and under-fetching of data, making robust security testing beneficial and essential. Understanding these vulnerabilities is the first step in safeguarding your GraphQL implementation.

Introducing Qevlar

Qevlar is an ultra-lightweight comprehensive security suite tailored for GraphQL. With the modern web landscape in mind, Qevlar addresses the unique security challenges that GraphQL’s flexibility poses. It is designed to test a wide range of API vulnerabilities from common threats to more sophisticated attacks.

Qevlar has a 60% smaller library footprint than current alternatives, making it the right tool for those who embrace efficient, proactive security measures. Using it helps ensure your GraphQL APIs are functional and fortified against potential breaches.

Core Features of Qevlar

Qevlar’s extensive testing capabilities from a straightforward command line interface set it apart in the realm of GraphQL security:

• Rate Limiting & Adaptive Rate Limiting: These tests ensure that your API can handle a high volume of requests without compromising performance or security.
• Fixed Depth & Incremental Depth: Deeply nested queries can be a performance nightmare. Qevlar’s depth tests help identify and mitigate these issues.
• Field Duplication & Query Batch: These tests ensure that your API handles repeated fields and batch queries efficiently, preventing unnecessary data processing and potential vulnerabilities.
• Malicious Injection: Qevlar’s rigorous testing for various injection attacks, including SQL, NoSQL, XSS, and OS Command injections, is critical in safeguarding your API against data breaches and unauthorized access.

How Does Qevlar Work?

Qevlar’s CLI interface was designed to demystify the security testing process, making it accessible to developers of all skill levels. The setup process is flexible and straightforward; users can manually configure their environment or use our built-in script to generate a configuration file automatically. This flexibility allows for quick adjustments and customization, catering to the specific needs of different GraphQL APIs.

Upon installing the qevlar npm package and running it, users have the ability to manually customize the qevlarConfig.json file, pairing it to their API. It’s initialized as:

{ 
"ANY_TOP_LEVEL_FIELD_ID": "",
"API_URL": "",
"BATCH_SIZE": 10,
"CIRCULAR_REF_FIELD": "",
"INCREMENT": 10,
"INITIAL_RATE": 10,
"NO_SQL": false,
"QUERY_DEPTH_LIMIT": 5,
"QUERY_RATE_LIMIT": 100,
"SQL": false,
"SQL_COLUMN_NAME": "",
"SQL_TABLE_NAME": "",
"SUB_FIELD": "id",
"TIME_WINDOW": 1000,
"TOP_LEVEL_FIELD": ""
}

To generate qevlarConfig.json automatically, select 0 in your CLI and submit your API’s URL when prompted. This will introspect your Graph QL API, acquiring field names, then automatically update qevlarConfig.json.

After, select the test you want to run. Results will be displayed in your CLI.

Technical Highlights

Qevlar’s dependency-free architecture is a significant achievement. Our team committed to pure Vanilla Javascript, free of any other frameworks, to make our library as lightweight and nimble as possible. Qevlar also relies on Vanilla JavaScript for type validation to catch any configuration typing errors before conducting tests. The type validation combines the robustness of type-checking with the simplicity and compatibility of JavaScript, making Qevlar powerful and easy to integrate into existing workflows.

Conclusion

In today’s digital landscape where data breaches and security threats are increasingly common, securing your GraphQL API is not just a good practice; it’s imperative. Qevlar offers a comprehensive, user-friendly, and efficient solution to the unique security challenges posed by GraphQL.

We encourage developers, security experts, and organizations to integrate Qevlar into their development and security protocols to ensure their GraphQL APIs are secure, reliable, and robust.

Additional Resources

For a deeper exploration of Qevlar and its capabilities visit our Github repository or our website here. Here you’ll find detailed documentation, installation guides, and further information about Qevlar and its use cases.

Whether you’re looking to integrate Qevlar into your existing setup or exploring it for a new project, these resources provide valuable insights and guidance to help you secure your GraphQL APIs with confidence.