Tag: Brice Jager

  • Raxis in the Classroom: Giving Back by Looking Forward

    “Brice noted the different ways that students could get into cybersecurity and pointed out that students need to put in work to qualify for jobs and explained the certification process and how to determine which certifications are valuable to possible employers.”

    Georgia’s Putnam County School District takes cybersecurity seriously — not only as an administrative safeguard, but also as an important new skillset to teach the next generation. Regardless of their ultimate career choices, today’s students will be tomorrow’s workforce and cybersecurity will be a critical component of every job.

    It was in that context that Ed Ozols, a computer science and cybersecurity teacher at Putnam County High School invited Raxis lead penetration tester Brice Jager to speak to his students about the role of pentesting and how it keeps networks safe.

    Some Words from Ed:

    Brice was a great help to my cybersecurity class. This is the first time that Putnam County High School has offered cybersecurity and we will be providing the full pathway that ends with a certification exam to our students. We are one of the few districts in Georgia that offers the full pathway. Brice spoke with students who are taking their first cyber class. He was able to outline what life was like for a cybersecurity specialist (in his case, as a pen tester).

    Brice noted the different ways that students could get into cybersecurity and pointed out that students need to put in work to qualify for jobs and explained the certification process and how to determine which certifications are valuable to possible employers.

    The students had numerous questions that Brice answered for us, and his explanations were understandable to my students who have just begun to get their toes wet in cybersecurity and do not have a depth of cybersecurity knowledge.

    They were glad to hear from him. One student, who is normally shy, came up to me and talked with me about a future in cybersecurity. I have other students who plan on pursuing a career in cyber and this helped cement those plans.

    I am helping develop the future of cybersecurity and Brice was an important part of this development in the students that he was talking to. My students and I thank you for connecting us with Brice. It is two weeks after his discussion and my students are still relating things that he said with the concepts I am teaching in my class (as in “Brice said…”).

    Ed Ozols' Cybersecurity class at Georgia’s Putnam County School District

    Georgia’s Putnam County School District takes cybersecurity seriously — not only as an administrative safeguard, but also as an important new skillset to teach the next generation. Regardless of their ultimate career choices, today’s students will be tomorrow’s workforce and cybersecurity will be a critical component of every job.

    According to Brice, the experience was very rewarding for him as well.

    “I’ve been an instructor in some of my previous jobs, so it feels natural to ease back into that role,” he said. “What made this experience unique is that I had an opportunity to introduce young people to the field of penetration testing and, I hope, sparked a deeper interest in cybersecurity among them. It’s rewarding to think that one or more of those students could decide on a career in cybersecurity because of this introduction.”

  • Exploiting GraphQL

    GraphQL is a query language inspired by the structure and functionality of online data storage and collaboration platforms Meta, Instagram, and Google Sheets. This post will show you how to take advantage of one of its soft spots.

    Development

    Facebook developed GraphQL in 2012 and then it became open source in 2015. It’s designed to let application query data and functionality be stored in a database or API without having to know the internal structure or functionality. It makes use of the structural information exchanged between the source and the engine to perform query optimization, such as removing redundancy and including only the information that is relevant to the current operation.

    To use GraphQL, since it is a query language (meaning you have to know how to code with it), many opt to use a platform to do the hard work. Companies like the New York Times, PayPal, and even Netflix have dipped into the GraphQL playing field by using Apollo.

    Apollo

    Apollo Server is an open-source, spec-compliant tool that’s compatible with any GraphQL client. It builds a production-ready, self-documenting GraphQL API that can use data from any source.

    Apollo GraphQL has three primary tools and is well documented.

    • Client: A client-side library that helps you digest a GraphQL API along with caching the data that’s received.
    • Server: A library that connects your GraphQL Schema to a server. Its job is to communicate with the backend to send back responses based off the request of the client.
    • Engine: Tracks errors, gathers stats, and performs other monitoring tasks between the Apollo client and the Apollo server.

    (We now understand that GraphQL is query language and Apollo is spec-compliant GraphQL server.)

    A pentester’s perspective

    What could be better than fresh, new, and developing technology? Apollo seems to be the king of the hill, but the issue here is the development of Apollo’s environment is dynamic and fast. Its popularity is growing along with GraphQL, and there seems to be no real competition on the horizon, so it’s not surprising to see more and more implementations. The most difficult part for developers is having proper access controls for each request and implementing a resolver that can integrate with the access controls. Another key point is the constant new build releases with new bugs.

    Introspection

    Batch attacks, SQLi, and debugging operations that disclose information are known vulnerabilities when implementing GraphQL. This post will focus on Introspection.

    Introspection enables you to query a GraphQL server for information about the schema it uses. We are talking fields, queries, types, and so on. Introspection  is mainly for discovery and as a diagnostic tool during the development phase. In a production system you usually don’t want just anyone knowing how to run queries against sensitive data. When they do, they can take advantage of this power. For example, the following field contains interesting information that can be queried by anyone on a GraphQL API in a production system with introspection enabled:

    Information that can be gathered when querying a GraphQL API
    Let’s try it

    One can obtain this level of information in a few ways. One way is to use Burp Suite and the GraphQL Raider plugin. This plugin allows you to isolate the query statement and experiment on the queries. For example, intercepting a post request for “/graphql”, you may see a query in the body, as shown below:

    Burp intercept of webpage communication showing the query that is being sent to the server, which indicates that GraphQL is in use

    Using Burp Repeater with GraphQL we can change the query located in the body and execute an Introspection query for ‘name’ and see the response.

    Knowing GraphQL is in use, we use Burp Extension GraphQL Raider to focus just on queries. Here we are requesting field names in this standard GraphQL request, but this can be changed to a number of combinations for more results once a baseline is confirmed.

    Knowing GraphQL is in use, we use Burp Extension GraphQL Raider to focus just on queries. Here we are requesting field names in this standard GraphQL request, but this can be changed to a number of combinations for more results once a baseline is confirmed.

    This request is checking the ‘schema’ for all ‘types’ by ‘name’ . This is the response to that query on the right.

    This request is checking the ‘schema’ for all ‘types’ by ‘name’ . This is the response to that query on the right.

    Looking further into the response received, we see a response “name”: “allUsers”. Essentially what is happening is we are asking the server to please provide information that has “name” in it. The response gave a large result, and we spot “allUsers”. If we queried that specific field, it would likely provide all the users.

    Looking further into the response received, we see a response “name”: “allUsers”. Essentially what is happening is we are asking the server to please provide information that has “name” in it. The response gave a large result, and we spot “allUsers”. If we queried that specific field, it would likely provide all the users.

    The alternative would be to use CURL. You can perform the same actions simply by placing the information in a curl statement. So the same request as above translated over for Curl would be similar to:

    Curl statement requesting a POST with an application header for a specific URL with data request using the GraphQl query. Specifically, this query is communicating with the schema types and getting field names.

    You could opt to do this in the browser address bar as well, but that can be temperamental at times. So you can see how easy it is to start unraveling the treasure trove of information all without any authentication.

    Even more concerning are the descriptive errors the system provides that can help a malicious attacker succeed. Here we use different curl statement to the server. This is the same request except that the query is for “system.”

    This is the same request except that the query is for “system.”

    When the request cannot be fulfilled, the server tries its best to recommend a legitimate field request. This allows the malicious attacker to formulate and build statements one error at a time if needed:

    This is a verbose response received from GraphQL that actually recommends an appropriate query if yours isn’t correct.

    Pentest ToolBox

    Ethical hackers would be wise to add this full request to their toolbox as it should provide a full request that provides a long list of objects, fields, mutations, descriptions, and more:

    {__schema{queryType{name}mutationType{name}subscriptionType{name}types{...FullType}directives{name description locations args{...InputValue}}}}fragment FullType on __Type{kind name description fields(includeDeprecated:true){name description args{...InputValue}type{...TypeRef}isDeprecated deprecationReason}inputFields{...InputValue}interfaces{...TypeRef}enumValues(includeDeprecated:true){name description isDeprecated deprecationReason}possibleTypes{...TypeRef}}fragment InputValue on __InputValue{name description type{...TypeRef}defaultValue}fragment TypeRef on __Type{kind name ofType{kind name ofType{kind name ofType{kind name ofType{kind name ofType{kind name ofType{kind name ofType{kind name}}}}}}}}

    Ethical hackers, may want to add these to their directory brute force attacks as well:

    • /graphql
    • /graphiql
    • /graphql.php
    • /graphql/console
    Conclusion

    Having GraphQL introspection in production might expose sensitive information and expand the attack surface. Best practice recommends disabling introspection in production unless there is a specific use case. Even in this case, consider allowing introspection only for authorized requests, and use a defensive in-depth approach.

    You can turn off introspection in production by setting the value of the introspection config key on your Apollo Server instance.

    This is the proper configuration in a production system to turn off Introspection on a new Apollo server.

    Although this post only addresses Introspection, GraphQL/Apollo is still known to be vulnerable to the attacks I mentioned at the beginning – batch attacks, SQLi, and debugging operations that disclose information – and we will address those in subsequent posts. However, the easiest and most common attack vector is Introspection. Fortunately, it comes with an equally simple remedy: Turn it off.

     

  • Meet the Team: Brice Jager, Lead Penetration Tester

    I’m Brice Jager, a lead penetration tester for Raxis — and the only one currently living in Iowa. My career path has taken me on a long journey from health care, to health care technology, and now to penetration testing. I’ve enjoyed all of it, but I now feel like I’m where I was meant to be.

    Jim: Brice, in our discussions, it seems you’ve had two loves in your career: health and technology. I have to ask, which was the first to catch your eye, so to speak?

    Brice: I guess I’d have to say technology because we were introduced to Apple computers in 3rd grade, and I was absolutely fascinated by them. I became serious about health at 12.

    Jim: Yep, Steve Jobs believed in hooking his customers early. Was it just the interaction with technology, or did you actually realize you had an affinity for computers and how they worked?

    Brice: Other kids were “interested.” I was obsessed with understanding them and learning what all they could do. If you had asked me back then, I would have probably said I was playing with the computers. In retrospect, I was really learning the fundamentals of programming. I even developed my own checkers game. At that point, we didn’t have widely available internet, so I had to learn from books — and a lot of trial and error.

    Jim: Did your interest fade after that or did you continue to “play” with computers?

    Brice: Ha! No, my interest only got more intense as I got older. By the ‘90s, I was into war-driving (riding around searching for vulnerable wireless networks) and basically looking for mischief wherever I could find it. Most people I knew were content with just using technology. I was still that kid who wanted the challenge of getting inside and finding out what made it all work.

    Jim: You were a hacker even then.

    Brice: I guess so. And remember, in those days, a lot of software and websites weren’t locked down as well as they are now. It was easier to see how everything was put together. I was able to give myself a terrific education.

    Jim: So, what changed your focus to health care?

    Brice: It didn’t change as much as it expanded. I always had a parallel interest in anatomy and physiology and overall health. In fact, it’s the same interest, only directed toward the body and not a computer. The fundamental questions I wanted to answer are the same as well: How does it work? What causes it not to work well? How can I make it work better?

    Jim: Out of high school, you went with health care. What led you to that decision?

    Brice: I found it easy because I had a pretty deep understanding of anatomy, and it was good to see people getting the results they always wanted. Over time, I became a neuromuscular specialist and helped people avoid surgery or avoid dependence on medications. In a nutshell, tricking the brain into healing itself.

    Jim: You were hacking human brains?

    Brice: Ha! Yeah, you hear that term a lot nowadays, but we were doing it literally and getting results. But there really wasn’t a career path beyond where I was without dancing on the line of burnout, and you quickly realize not all health care has the same goal in mind so it can become frustrating.

    Jim: You did go into sports medicine, though.

    Brice: Yes. In fact, I even became a kinesiology (body mechanics) teacher from 2004 until 2010. I enjoyed it and I still dabble in it some, but I was ready for a change. What I found was a job with a software company out of Finland. They needed someone who understood their product and who could teach it to others, and oddly it was still in the health-related arena. The jump to technology sparked interest and was refreshing.

    Jim: Right up your alley on both counts.

    “Spending time with my family is what I enjoy most. My wife is a professional photographer and we have a four-year-old son. We work and work out, but we manage to work in a lot of time for our family.” — Brice Jager

    Brice: Yeah, and the great part is that it gave me a way to move into IT. I was dealing with the company team that built the software at the same time I was interacting with the customer. That helped me understand the struggles on both sides and led to my next job at the helpdesk of a hospital. Eventually, I became a systems administrator, but I was really a jack of all trades. I was doing everything from installing software to repairing IoT devices. What I didn’t do was a lot of cybersecurity.

    Jim: There was a cybersecurity incident at that time, right?

    Brice: That’s right. My first experience in the wild from the perspective of a victim as it happened. It took a lot of work to recover but it was accomplished in 48 hours.

    Jim: That left an impression, I guess.

    Brice: It sure did. I started pentesting on my own and really got excited about ethical hacking as a profession. Within a year, I had my CISSP, OSCP, OSWP, PNPT and KLCP (professional cybersecurity certifications).

    Jim: Wow! I understand that each of those requires a lot of time and energy.

    Brice: You bet, but it helps if you’re passionate about the field. It’s a LOT of sacrificing to accomplish the certifications between work, family, and life.

    Jim: How did you find your way to Raxis?

    Brice: Oddly enough, I was doing some research on another company that I was considering. I reached out to Bonnie and she and Mark talked with me at length. Based on how easy they were to speak with, I knew it would be a great place to work. You just know good people when you talk to them.

    Jim: What’s your favorite part?

    Brice: My favorite part of this job is that pentesting is my job! And pentesting is, by far, the favorite job I’ve had so far. I love working with the best in the business here. It’s easy to ask questions, and it’s easy to weigh in when you’ve got an answer.

    Plus we get to break in to stuff . . . without getting in trouble.