TY - CHAP
T1 - Wendigo: Deep Reinforcement Learning for Denial-of-Service Query Discovery in GraphQL
AU - McFadden, Shae
AU - Maugeri, Marcello
AU - Hicks, Chris
AU - Mavroudis, Vasilios
AU - Pierazzi, Fabio
N1 - Publisher Copyright:
© 2024 IEEE.
PY - 2024/5/23
Y1 - 2024/5/23
N2 - GraphQL is a type of web API which enables a unified endpoint for an application’s resources through its own query language, and is widely adopted by companies such as Meta, GitHub, X, and PayPal. The query-based structure of GraphQL is designed to reduce the over-/under-fetching typical of REST web APIs. Consequently, GraphQL allows attackers to perform Denial-of-Service (DoS) attacks through queries inducing higher server loads with fewer requests. However, with the additional complexity introduced by GraphQL, ensuring applications are not vulnerable to DoS is not trivial. We propose WENDIGO, a black-box Deep Reinforcement Learning (DRL) approach only requiring the GraphQL schema to discover DoS exploitable queries against target applications. For example, our approach is able to discover queries which can perform a DoS attack utilizing only two GraphQL requests per hour, as opposed to the high volume of traffic required by traditional DoS attacks. WENDIGO achieves this by building increasingly more complex queries while maximizing response time by using GraphQL features to increase the server load. The effective query discovery offered by WENDIGO, not only enables developers to test for potential DoS risk in their GraphQL applications but also showcases DRL’s value in security problems such as this one.
AB - GraphQL is a type of web API which enables a unified endpoint for an application’s resources through its own query language, and is widely adopted by companies such as Meta, GitHub, X, and PayPal. The query-based structure of GraphQL is designed to reduce the over-/under-fetching typical of REST web APIs. Consequently, GraphQL allows attackers to perform Denial-of-Service (DoS) attacks through queries inducing higher server loads with fewer requests. However, with the additional complexity introduced by GraphQL, ensuring applications are not vulnerable to DoS is not trivial. We propose WENDIGO, a black-box Deep Reinforcement Learning (DRL) approach only requiring the GraphQL schema to discover DoS exploitable queries against target applications. For example, our approach is able to discover queries which can perform a DoS attack utilizing only two GraphQL requests per hour, as opposed to the high volume of traffic required by traditional DoS attacks. WENDIGO achieves this by building increasingly more complex queries while maximizing response time by using GraphQL features to increase the server load. The effective query discovery offered by WENDIGO, not only enables developers to test for potential DoS risk in their GraphQL applications but also showcases DRL’s value in security problems such as this one.
UR - http://www.scopus.com/inward/record.url?scp=85199152449&partnerID=8YFLogxK
U2 - 10.1109/SPW63631.2024.00012
DO - 10.1109/SPW63631.2024.00012
M3 - Conference paper
SN - 979-8-3503-5488-1
T3 - Proceedings - 45th IEEE Symposium on Security and Privacy Workshops, SPW 2024
SP - 68
EP - 75
BT - Proceedings - 45th IEEE Symposium on Security and Privacy Workshops, SPW 2024
PB - IEEE
CY - San Francisco, CA, USA
ER -