Graph APIs are capable of flexibly retrieving or manipulating graph-structured data over the web. This rather novel type of APIs presents new challenges when it comes to properly securing the APIs against the usual web application security risks, e.g., broken access control. A prominent security testing approach is taint analysis, which traces tainted, i.e., security-relevant, data from sources (where tainted data is inserted) to sinks (where the use of tainted data may lead to a security risk), over the information flow in an application.

We present a first systematic approach to static and dynamic taint analysis for Graph APIs focusing on broken access control. The approach comprises the following. We taint nodes in the Graph API if they represent data requiring specific privileges in order to be retrieved or manipulated, and identify API calls which are related to sources and sinks. Then, we statically analyze whether tainted information flow between API source and sink calls occurs. To this end, we model the API calls using graph transformation rules. We subsequently use critical pair analysis to automatically analyze potential dependencies between rules representing source calls and rules representing sink calls. The static taint analysis (i) identifies flows that need to be further reviewed, since tainted nodes may be created by an API call and used or manipulated by another API call later without having the necessary privileges, and (ii) can be used to systematically design dynamic security tests for broken access control. The dynamic taint analysis checks if potential broken access control risks detected during the static taint analysis really occur. We apply the approach to a part of the GitHub GraphQL API.