WGQL - GraphQL Hacking and Defenses
Last updated
Last updated
PENETRATION TESTS
PentestsLET'S MEET
Book 15 minutes with one of our experts@ dcodx.com
DCODX provides security workshops to help your developers, security teams, and engineers to step up their application security knowledge, exploiting and fixing security issues through full hands-on trainings.
The workshop is meant for developers, architects and security folks. During the workshop we will learn how to setup a GraphQL project, define a schema, create Query, Mutation and Subscription for a "fake" social network. We will learn what are the main security issues to consider when developing a GraphQL application:
Introspection: information disclosure
/graphql as a single point of failure (DoS attacks)
IDOR
Broken Access control
Injections
Once we get familiar with the issues, we will explain how to avoid it and/or fix it.
Module | Topic | Time |
[1] Intro | 30 mins | |
GraphQL introduction | ||
GraphQL vs REST API | ||
Common use cases | ||
[2] GraphQL basics | 1 hour | |
Create a schema | ||
Define operations | ||
Query | ||
Mutation | ||
Subscription | ||
Burp and GraphQL plugins | ||
LAB | ||
[3] Security implications in GraphQL | 1 hour | |
What can go wrong: intro | ||
Introspection | ||
Nested looping queries: DoS | ||
Injections | ||
Broken Access Control | ||
IDOR | ||
[4] Introspection | 1 hour | |
What’s introspection | ||
How to use it | ||
How to abuse it | ||
How to prevent it | ||
LAB | ||
[5] DoS | 1 hour | |
Nested queries | ||
Loops in schema | ||
Complexity calculation | ||
DoS: Why | ||
How to prevent it | ||
LAB | ||
[6] Broken Authorization and IDOR | 1.30 hours | |
IDOR intro | ||
How to discover IDOR | ||
Introspection is our friend | ||
How to avoid it | ||
Implement correctly authorization in GraphQL | ||
LAB | ||
[7] Injections | 1 hour | |
Not GraphQL issues | ||
Discover possible injections | ||
SQL injections | ||
Command injections | ||
How to prevent it | ||
LAB |
Labs available on Github
