Go to Source
Author: Anas Essop
Go to Source
Author: Anas Essop
Go to Source
Author: Anas Essop
GraphQL (GQL) is a data query language used commonly in modern web and mobile applications as a key part of the technology stack. GQL simplifies fetching data from a server to a client via an API call. This article recaps some thoughts from a post by carvesystems.com, covering the five most common GraphQL vulnerabilities, how to use a GQL “goat” to exemplify vulnerabilities, and some tooling to evaluate GQL implementation.
Understanding a little more about what GQL is will help clarify the concepts in this article. CarveSystems contributor Aiden elaborates:
“GraphQL is a standardized language for describing and making queries to APIs. Originally built by Facebook in 2015 for use in their mobile applications, GraphQL provides a number of benefits to application developers when compared to a traditional REST API”:
Vulnerability 1: Inconsistent Authorization Checks
The most commonly found issue in GraphQL-based applications is flawed authorization logic. Carve elaborates, “While GraphQL helps implement proper data validation, API developers are left on their own to implement authentication and authorization methods on top. Worse, the “layers” of resolvers typical to a GraphQL API make doing this properly more complicated – authorization checks have to be present not only at the query-level resolvers, but also for resolvers that load additional data (for example, to load all of the posts for a given user).”
GQL API flaws usually come in one of two forms. Carve explains, “The first, and more common, occurs when authorization functionality is handled directly by resolvers at the GraphQL API layer. When this is done, authorization checks must be performed separately in each location, and any instance where this is forgotten could lead to an exploitable authorization flaw. The likelihood of this occurring increases as the complexity of the API schema increases, and there are more distinct resolvers responsible for controlling access to the same data.”
The demo API created by Carve portrays several methods for retrieval of listing Post objects: a client can retrieve a list of users, then retrieve all their public posts, or simply retrieve a post by its numeric ID. One vulnerability exposed in the demo API exposes the opportunity to retrieve a post by ID, where there are no authorization checks. Vulnerabilities in this vein are simple and commonly found in real-world GQL deployments.
GraphQL design guides advise how to securely perform authorization: the logic should be applied by the business-logic layer, thereby smoothing the way for consistently applied authorization constraints.
Vulnerability 2: Flimsy REST Proxy Layers
An underlying API adapted for use by GraphQL clients with REST proxies can be “implemented in the GraphQL proxy layer by making a request to GET /api/users/1 on the backend API. If implemented unsafely, an attacker may be able to modify the path or parameters passed to the backend API, presenting a limited form of server-side request forgery.”
Properly URL encoding and validating parameters passed to another service can protect against this kind of vulnerability. Leveraging the GraphQL schema to require a number for the file name would be one way to troubleshoot this vulnerability. An alternative tactic would involve implementing validation of input values. “GraphQL will validate the types for you, but leaves format validation to you. A custom scalar type (for example, a AssetId scalar) could be used to consistently apply any custom validation rules that apply for a commonly-used type.”
Vulnerability 3: Skipping Custom Skalar Validation
Raw data with GQL is represented with a Skalar type, and is ultimately passed as input data or returned as output. Carve breaks it down, explaining that there are five built-in scalar types – Int, Float, Boolean, String, and ID (which is really just a string). This basic set of scalar types is sufficient for many simple APIs, but for scenarios where additional raw datatypes are useful, GraphQL includes support for application developers to define their own scalar types. For example, an API might include its own DateTime scalar type, or an extended scalar type that provides extended input validation, such as “odd integers” or “alphanumeric strings.”
If a developer implements their own Skalar type, they will then be responsible for keeping up with sanitization and type validation. A demo pulled in the graphql-type-json library is available here.
Vulnerability 4: Disorganized Rate-Limiting
Implementing rate-limiting and other denial-of-service protections mirror GraphQL APIs in their complexity and difficulty. The number of actions GQL query takes is by nature mutable, and thus takes an erratic amount of server resources. This is why rate-limiting techniques used for REST APIs are not meant to be used for GQL APIs – the REST API strategies are insufficient for GQL APIs.
Vulnerability 5: Introspection Feature Unmasks Public Data
Tacking on veiled features to API endpoints is an appealing prospect to developers who want a bit of functionality tucked away from public view. These features could be shielded from public view with admin-access protection, or with another API endpoint. Carve advises that “a GraphQL feature called introspection makes discovery of hidden endpoints trivially easy. As part of an effort to be developer-friendly, the introspection feature, which is enabled by default in most GraphQL implementations, allows API clients to dynamically query information about the schema, including documentation and the types for every query and mutation defined in the schema. This is used by development tools, like the GraphiQL IDE, to dynamically retrieve the schema if not provided one.” The demo API developed by Carve further illuminates these ideas with a hidden mutation.
Using a more complex solution like GraphQL comes with more complex problems. With that in mind, it solves many of the fundamental issues with data validation commonly found in REST APIs. These commonalities are available for exploration with the Carve demo API.
Go to Source
Author: <a href="https://www.programmableweb.com/user/%5Buid%5D">Katherine-Harrison-Adcock</a>
Go to Source
Author: Paul Hanaphy
University at Buffalo chemists have shown that self-assembling molecular traps can be used to capture PFAS — dangerous pollutants that have contaminated drinking water supplies around the world.
The traps are made from iron-based and organic building blocks that connect, like Legos, to form a tetrahedral cage. Experiments showed that these structures bind to certain PFAS (short for per- and polyfluoroalkyl substances), and a lab analysis revealed how this happens. As it turns out, the PFAS stick strongly to the outside of the cages instead of getting caught inside, researchers say.
These insights were detailed in a study released this month and could help scientists fine-tune the traps in favorable ways — for example, by enlarging the openings of the cages to potentially catch other types of PFAS. The eventual goal is to use such cages — known as metallacages — in systems that isolate PFAS from water, which could lead to better water treatment, or improved techniques for detecting the pollutants in water.
“PFAS are highly stable and toxic chemicals that can cause adverse human health effects,” says Diana Aga, PhD, Henry M. Woodburn Professor of Chemistry in the UB College of Arts and Sciences. “There is increasing evidence to suggest links between exposure to PFAS and adverse health outcomes in humans and animals, with potential effects including decreased birth weight, decreased fertility, and increased risk of diabetes and certain cancers, to name a few. The findings in our new paper are exciting because they provide evidence that the molecular traps are effective sorbents for some PFAS.”
“We’re very excited about a few ways this work may evolve, from enabling the detection of PFAS that current analyses may miss, to altering the cages such that in addition to binding the PFAS, they also destroy them,” says Timothy Cook, PhD, assistant professor of chemistry in the UB College of Arts and Sciences.
Cook and Aga led the study, along with Cressa Ria P. Fulong, PhD, a recent Cook lab graduate, and Mary Grace E. Guardian, a PhD candidate in Aga’s lab. All team members made important contributions, with Fulong and Guardian spearheading experimental and analytical work that took place in the lab.
The research was featured on the cover of the May 18 issue of the journal Inorganic Chemistry. Cook created the cover art, which he drew by hand with a fountain pen on paper, then digitized and colored. The illustration depicts molecular building blocks self-assembling to form tetrahedral structures that converge on a PFAS molecule.
The traps capture a subset of PFAS
PFAS are not a single compound; they are a group of humanmade chemicals that are used in food packaging, nonstick coatings, firefighting foams and other goods. Because the compounds don’t break down easily, they persist in the environment for a long time.
Numerous studies have detected PFAS in drinking water supplies worldwide, including a paper that Aga and colleagues published on May 19 in the journal Chemosphere. That project searched for the pollutants in the Philippines and Thailand and found them in surface waters, bottled water and water from re-fill stations. Other studies have shown that PFAS accumulate in people’s blood.
With these concerns in mind, Cook, Aga, Fulong and Guardian set out to learn whether molecular cages could help trap PFAS.
The scientists screened about a dozen different types of self-assembling cages that contain metals. Fulong synthesized the cages in Cook’s lab, and Guardian used advanced analytical techniques in Aga’s lab to study whether each structure was binding to PFAS.
This process led the team to the iron-based cages, which captured a subset of PFAS with chains of six or more fluorinated carbon atoms, including perfluorocarboxylic acids, sulfonic acids and fluorotelomers.
Next up? Tweaking the cages to trap more PFAS — and maybe destroy them
The study gives scientists new knowledge that could help them make experimental improvements to the cages. By tweaking the cages’ building blocks, researchers could potentially create structures that bind more strongly with PFAS, sponge up additional varieties of the pollutants, or even destroy the chemicals, Cook says.
“I’ve been reading reports in the popular media that people are trying to incinerate these PFAS, and it might be making the problem even worse,” Cook says. “It basically just sends them up into the air and disperses them even more. I’m wondering if we can develop cages with electro- or photochemical properties that will enable them to break up the bonds in PFAS.”
“I’m hopeful that the molecular traps can be designed to potentially capture the most highly water soluble PFAS that typically escape conventional water treatment technologies,” Aga says. “There are already many sorbents in use, such as activated carbon, that interact with PFAS. However, activated carbon does not have building blocks or pores that can be easily tuned — and this is the beauty of the metallacages.”
Go to Source
Go to Source
Author: Paul Hanaphy
Concrete is one of the most abundant and durable building materials used in modern-day infrastructures, but it has a weakness — ice — which can cause it to crumble and spall. Now, inspired by organisms that survive in sub-zero environments, researchers in Colorado are introducing polymer molecules with anti-freezing abilities into concrete. The method, which tests if the new concrete can stop the damage caused by freezing and thawing, appears in the journal Cell Reports Physical Science on May 27.
Concrete is a porous material with capillary pores that allow water to permeate into the material. For places that experience large temperature swings, concrete roads and buildings go through “freeze-thaw cycles.” The water freezes and expands inside of the material, building up pressure as the ice crystals grow, eventually popping the surface of the concrete off. The polyethylene glycol-graft-polyvinyl alcohol (PEG-PVA) molecules that the researchers have identified appear to keep the ice crystals small and prevent them from coalescing into larger crystals.
“We’re particularly excited because this represents a departure away from more than 70 years of conventional concrete technology,” says senior author Wil Srubar, who heads the Living Materials Laboratory at the University of Colorado Boulder. “In our view, it’s a quantum leap in the right direction and opens the door for brand new admixture technologies.”
For over 70 years, the primary way to mitigate freeze-thaw damage was to put in tiny air bubbles that act as pressure release valves inside of the concrete, known as air-entraining admixtures. But putting tiny air bubbles into the concrete not only lowers the strength of the material but also makes it more porous, acting like a superhighway for more water and other harmful substances, like salts, to enter. Instead of tackling the symptoms of ice expansions, the team decided to target the source: ice crystal growth.
Found in organisms that survive in sub-zero environments, anti-freeze proteins bind to ice crystals to inhibit their growth that would otherwise be fatal to the organisms. Inspired by the protein, the team introduced polymer molecules that mimicked the protein’s properties to the concrete mix. The molecules effectively reduced the size of ice crystals by 90 percent. The new concrete mix also withstood 300 freeze-thaw cycles and maintained its strength.
Although the new concrete passed industry-standard tests, there are still questions about the true long-term resilience of the material in a real-world application and its economic viability. The next step for the team is to optimize their method by identifying new molecules that are more cost-effective and testing the compatibility of the molecule with different recipes of concrete. “Making concrete is a lot like baking a cake,” says Srubar, hoping that concrete recipes can benefit from the new additive.
“For the next 30 years, the world will be building a New York City every 35 days, which is astounding,” says Srubar. “What that means is that we’re going to be building a lot of buildings and roads, and we’re going to be using a lot of concrete. Because it has significant impacts on the environment, the concrete that we do make really does have to be as sustainable as possible and as durable as it can be.”
Materials provided by Cell Press. Note: Content may be edited for style and length.
Go to Source
Using advanced machine learning, drones could be used to detect dangerous “butterfly” landmines in remote regions of post-conflict countries, according to research from Binghamton University, State University at New York.
Researchers at Binghamton University had previously developed a method that allowed for highly accurate detection of “butterfly” landmines using low-cost commercial drones equipped with infrared cameras. Their new research focuses on automated detection of landmines using convolutional neural networks, the standard machine learning method for object detection and classification in the field of remote sensing. This method is a game-changer in the field, said Alek Nikulin, assistant professor of energy geophysics at Binghamton University.
“All our previous efforts relied on human-eye scanning of the dataset,” said Nikulin. “Rapid drone?assisted mapping and automated detection of scatterable mine fields would assist in addressing the deadly legacy of widespread use of small scatterable landmines in recent armed conflicts and allow to develop a functional framework to effectively address their possible future use.”
It is estimated that there are at least 100 million military munitions and explosives of concern devices in the world, of various size, shape and composition. Millions of these are surface plastic landmines with low-pressure triggers, such as the mass-produced Soviet PFM-1 “butterfly” landmine. Nicknamed for their small size and butterfly-like shape, these mines are extremely difficult to locate and clear due to their small size, low trigger mass and, most significantly, a design that mostly excluded metal components, making these devices virtually invisible to metal detectors. Critically, the design of the mine combined with a low triggering weight have earned it notoriety as “the toy mine,” due to a high casualty rate among small children who find these devices while playing and who are the primary victims of the PFM-1 in post-conflict nations, like Afghanistan.
The researchers believe that these detection and mapping techniques are generalizable and transferable to other munitions and explosives of concern. For example, they could be adapted to detect and map disturbed soil for improvised explosive devices (IEDs).
“The use of Convolutional Neural Network (CNN)?based approaches to automate the detection and mapping of landmines is important for several reasons,” wrote the researchers. “One, it is much faster than manually counting landmines from an orthoimage (i.e. an aerial image that has been geometrically corrected). Two, it is quantitative and reproducible, unlike subjective human?error?prone ocular detection. And three, CNN?based methods are easily generalizable to detect and map any objects with distinct sizes and shapes from any remotely sensed raster images.”
Go to Source
Concerns about environmental and health risks of some fluorinated carbon compounds used to make non-stick coatings and fire-fighting foams have prompted manufacturers to develop substitutes, but these replacements are increasingly coming under fire themselves. To get a handle on the scope of the problem, scientists have been studying how widely these chemicals have contaminated the environment. Now, researchers report in ACS’ Environmental Science & Technology that, in one case, they have dispersed more broadly than previously realized.
These per- and polyfluorinated alkyl substances, known as PFAS, include perfluorooctanoic acid (PFOA). Because of exceptional stability, these chemicals don’t break down, so they can linger in soils and rivers if released into the environment, and they can persist in the body if ingested. Possible health effects include cancer, liver toxicity and disruption of the immune, endocrine and reproductive systems. As an alternative, industry has turned to other PFAS thought to be less likely to bioaccumulate, such as hexafluoropropylene oxide dimer acid (HFPO-DA), though their potential toxicity is unknown. Prior studies documented historical PFOA contamination mainly west and southwest of a fluoropolymer production facility in Parkersburg, West Virginia, that switched from PFOA to HFPO-DA in 2013. Linda Weavers and colleagues wanted to assess ongoing impacts from the plant on a broader scale, including areas north and northeast of the facility. In addition, the researchers wanted to check for dispersal of HFPO-DA, for which little environmental information is available.
The team collected surface water, drinking water and soil samples downwind and upstream from the plant and near landfills that contain PFAS waste. Sample analysis by mass spectrometry showed PFOA and HFPO-DA had dispersed to surface water and soil in multiple locations as far as 30 miles from the plant, with atmospheric transport playing a key role. The findings suggest HFPO-DA, like PFOA, could get into groundwater, and that these PFAS are being carried outside current surveillance zones. The researchers recommend more widespread monitoring of surface and drinking water to better define how and where PFAS exposures are occurring.
Go to Source
Go to Source
Author: Kubi Sertoglu