Desain Attack Tree Berdasar Metrik Time Pada Eksploitasi GraphQL Dengan Information Disclosure Vulnerability
Abstract
Graph Query Language (GraphQL) is a query language designed to manage interactions between clients and Application Programming Interfaces (APIs). GraphQL was created to facilitate data exchange between the backend and frontend, providing a clear and easily understandable data description. As GraphQL continues to gain popularity, the need for best security practices and tools to test and protect GraphQL APIs will become increasingly important. Like other technologies, GraphQL also has some weaknesses; one of them is its introspection feature, which can reveal sensitive information that should not be exposed. Therefore, this research aims to identify information disclosure vulnerabilities in GraphQL APIs and to find the most effective time between two security modes implemented: before and after hardening. Two methods and two tools are used to implement this, namely Introspection with InQL and Field Suggestion with Clairvoyance. This research is visually represented through an Attack Tree to provide a comprehensive overview of exploitation paths and potential attacks. After implementation, the results showed that the most successful and efficient exploitation method for information disclosure vulnerability before hardening was the Field Suggestion Method, with a total time of 7.94 seconds. The most efficient time before and after hardening turned out to be the same, with the Field Suggestion Method taking a total of 8.99 seconds after hardening. Thus, based on this time comparison, it can be concluded that the shorter the time required, the quicker an attacker can obtain harmful information from GraphQL.
Downloads
References
Acunetix Team. (2024). GraphQL Field Suggestions Enabled. https://www.acunetix.com/vulnerabilities/web/graphql-field-suggestions-enabled/
Afriansyah, R., Sholeh, M., & Andayati, D. (2021). PERANCANGAN APLIKASI PEMROGRAMAN ANTARMUKA BERBASIS WEB MENGGUNAKAN GAYA ARSITEKTUR REPRESENTASI UNTUK SISTEM PRESENSI SEKOLAH. Jurnal SCRIPT, 9(1).
Akmal, N. K., & Dasaprawira, M. N. (2022). RANCANG BANGUN APPLICATION PROGRAMMING INTERFACE (API) MENGGUNAKAN GAYA ARSITEKTUR GRAPHQL UNTUK PEMBUATAN SISTEM INFORMASI PENDATAAN ANGGOTA UNIT KEGIATAN MAHASISWA (UKM) STUDI KASUS UKM STARLABS. http://www.jurnal.umk.ac.id/sitech
Bruce Schneier. (1999). Attack Trees. https://www.schneier.com/academic/archives/1999/12/attack_trees.html
Darmi, Y., Pinandita, K., & Muhammadiyah Bengkulu, U. (2024). IMPLEMENTASI PERBANDINGAN METODE GRAPHQL DAN REST API PADA TEKNOLOGI NODEJS COMPARATIVE IMPLEMENTATION OF GRAPHQL AND REST API METHODS IN NODEJS TECHNOLOGY. Journal of Information Technology and Computer Science (INTECOMS), 7(1).
Ginting, E., Sahara, P., & Nurhaliza Tambunan, S. (2023). UNES Journal of Information System ANCAMAN DENIAL OF SERVICE ATTACK DALAM EKSPLOITASI KEAMANAN SISTEM INFORMASI THREAT OF DENIAL OF SERVICE ATTACK IN INFORMATION SYSTEM SECURITY EXPLOITATION. https://fe.ekasakti.org/index.php/UJIS
Herayono, A., & Adri, M. (2021). PENGEMBANGAN STUDENT MARKETPLACE BAGI MAHASISWA WIRAUSAHA UNP. JAVIT : Jurnal Vokasi Informatika, 3846. https://doi.org/10.24036/javit.v1i2.23
Kamilah, I., & Hendri Hendrawan, A. (2019). Analisis Keamanan Vulnerability pada Server Absensi Kehadiran Laboratorium di Program Studi Teknik Informatika (Vol. 16).
Ni Putu Ana Rainita, Anak Agung Istri Callysta Athalia, Made Diva Putera Ananta, I Ketut Pratista Tri Pramana, Gede Arna Jude Saskara, & I Made Edy Listartha. (2023). ANALISIS PERBANDINGAN VULNERABILITY SCANNING PADA WEBSITE DVWA MENGGUNAKAN OWASP NIKTO DAN BURPSUITE. Jurnal Informatika Dan Tekonologi Komputer (JITEK), 3(2), 8997. https://doi.org/10.55606/jitek.v3i2.908
Ruhiyat, J., & Setiyadi, A. (2018). SISTEM MONITORING WEBSITE DENGAN METODE ISSAF DI DINAS KOMUNIKASI dan INFORMATIKA KABUPATEN TANGERANG.
Zainuri, R., Pompong, D., Setiadi, B., Manajemen, ), & Surabaya, M. (2023). TINJAUAN LITERATUR SISTEMATIS: ANALISIS SWOT DALAM MANAJEMEN KEUANGAN PERUSAHAAN. JURNAL MANEKSI, 12(1), 2023.
DVGA. (n.d.). Retrieved 26 August 2024, from https://pentest-ground.com:5013/.
Pranowo, A. W., Widjajarto, A., & Fathinuddin, M. (n.d.). Implementasi dan Analisis Attack Tree pada Aplikasi DVWA Berdasar Metrik Time dan Cost (Vol. 4, Issue 4).
This work is licensed under a Creative Commons Attribution 4.0 International License.
Authors retain copyright and grant the journal right of first publication with the work simultaneously licensed under an Attribution 4.0 International (CC BY 4.0) that allows others to share — copy and redistribute the material in any medium or format and adapt — remix, transform, and build upon the material for any purpose, even commercially with an acknowledgment of the work's authorship and initial publication in this journal.
