Overview
Explore a conference talk that delves into the potential security vulnerabilities of GraphQL and how attackers can exploit them to target underlying infrastructure. Learn about the cons of GraphQL, including increased complexity and documentation challenges. Discover new attack methodologies, such as object reference attacks and mutations. Gain insights into debugging techniques, API vulnerabilities, and the importance of query cost analysis. Understand how hackers leverage GraphQL's features to their advantage and explore tools like AWS Security Toolkit and GraphQL Verb Extension. Examine real-world examples and common problems in software development related to GraphQL security.
Syllabus
Intro
Agenda
What is GraphQL
Cons of GraphQL
Increased Complexity
Documentation
Motivation
New Attack Methodology
How to Get
Validation
Object Reference Attacks
Mutations
New Data
Debug Mode
GARP
Rust API
Hackers get paid
A typical problem in software development
API mightyfall
Find the Endpoints
Make Requests
Debugging Data
Voyager
Fluent Leverage
Query
Mutation
Authorization
Thread Messages
The Real Problem
Query Cost Analysis
AWS Security Toolkit
GraphQL Verb Extension
Sequel Map
Do you have time