Add GraphQL support to On Demand API Scans
Problem
DAST API has recently added support for GraphQL Schemas and the ability to pull the schema from an API endpoint. On Demand API Scans should also have support for GraphQL when using DAST API as the scanner backend. While DAST API supports both directly querying the GraphQL endpoint, as well as providing a schema as a file or URL, only the direct querying of the GraphQL endpoint will be added.
In addition to adding support for GraphQL to On Demand API Scans, the documentation should also provide instructions on how to allow list our scanner through the use of a header provided via the Request Headers
field in the site profile. Many GraphQL frameworks are starting to disable introspection queries by default, which will cause the scan to fail. However, it is also straight forward for most frameworks to allow the introspection query if a user defined header is included in the request.
Proposal
- Change
Edit site profile
screen- Add
GraphQL
toScan Method
drop down options - When
GraphQL
is selected asScan Method
- Text box
GraphQL endpoint path
- Ghost example text
/graphql
- Ghost example text
- Add callout:
The GraphQL endpoint must support introspection queries. Introspection queries allow asking the GraphQL endpoint for the API schema. See the documentation (link?) for information about allow listing scans if your framework has them disabled by default.- Must allow introspection queries to request the API schema. How do I enable introspection?
- Produce the documentation we'll link to from this message. (Complete)
- Text box
- Add
- When GraphQL is selected:
-
GrapQL endpoint path
maps toDAST_API_GRAPHQL
variable
-
- Documentation around allow listing introspection queries
- Example header:
X-GitLab-Introspection: GUID or UUID
- Value is a random GUID or UUID. Such values have enough entropy to make them very hard to guess. They are also easy to generate using online generator sites.
- Question: Should we document how todo this for common frameworks?
- In a discussion thread it was agreed that users should reference their GraphQL framework's documentation. Providing documentation of 3rd-party products is prone to becoming out of date.
- Example header: