WGQL - GraphQL Hacking and Defenses

DCODX provides security workshops to help your developers, security teams, and engineers to step up their application security knowledge, exploiting and fixing security issues through full hands-on trainings.

GraphQL Security 101

The workshop is meant for developers, architects and security folks. During the workshop we will learn how to setup a GraphQL project, define a schema, create Query, Mutation and Subscription for a "fake" social network. We will learn what are the main security issues to consider when developing a GraphQL application:

Introspection: information disclosure
/graphql as a single point of failure (DoS attacks)
IDOR
Broken Access control
Injections

Once we get familiar with the issues, we will explain how to avoid it and/or fix it.

Syllabus

Module

Topic

Time

[1] Intro

30 mins

GraphQL introduction

GraphQL vs REST API

Common use cases

[2] GraphQL basics

1 hour

Create a schema

Define operations

Query

Mutation

Subscription

Burp and GraphQL plugins

LAB

[3] Security implications in GraphQL

1 hour

What can go wrong: intro

Introspection

Nested looping queries: DoS

Injections

Broken Access Control

IDOR

[4] Introspection

1 hour

What’s introspection

How to use it

How to abuse it

How to prevent it

LAB

[5] DoS

1 hour

Nested queries

Loops in schema

Complexity calculation

DoS: Why

How to prevent it

LAB

[6] Broken Authorization and IDOR

1.30 hours

IDOR intro

How to discover IDOR

Introspection is our friend

How to avoid it

Implement correctly authorization in GraphQL

LAB

[7] Injections

1 hour

Not GraphQL issues

Discover possible injections

SQL injections

Command injections

How to prevent it

LAB

Labs available on Github

Presented at

Interested? Contact us at trainings@dcodx.com

Last updated 1 year ago