Links
Comment on page

WGQL - GraphQL Hacking and Defenses

DCODX provides security workshops to help your developers, security teams, and engineers to step up their application security knowledge, exploiting and fixing security issues through full hands-on trainings.

GraphQL Security 101

GraphQL logo
The workshop is meant for developers, architects and security folks. During the workshop we will learn how to setup a GraphQL project, define a schema, create Query, Mutation and Subscription for a "fake" social network. We will learn what are the main security issues to consider when developing a GraphQL application:
  • Introspection: information disclosure
  • /graphql as a single point of failure (DoS attacks)
  • IDOR
  • Broken Access control
  • Injections
Once we get familiar with the issues, we will explain how to avoid it and/or fix it.

Syllabus

Module
Topic
Time
[1] Intro
30 mins
GraphQL introduction
GraphQL vs REST API
Common use cases
[2] GraphQL basics
1 hour
Create a schema
Define operations
Query
Mutation
Subscription
Burp and GraphQL plugins
LAB
[3] Security implications in GraphQL
1 hour
What can go wrong: intro
Introspection
Nested looping queries: DoS
Injections
Broken Access Control
IDOR
[4] Introspection
1 hour
What’s introspection
How to use it
How to abuse it
How to prevent it
LAB
[5] DoS
1 hour
Nested queries
Loops in schema
Complexity calculation
DoS: Why
How to prevent it
LAB
[6] Broken Authorization and IDOR
1.30 hours
IDOR intro
How to discover IDOR
Introspection is our friend
How to avoid it
Implement correctly authorization in GraphQL
LAB
[7] Injections
1 hour
Not GraphQL issues
Discover possible injections
SQL injections
Command injections
How to prevent it
LAB
Labs available on Github

Presented at

Interested? Contact us at [email protected]