# WGQL - GraphQL Hacking and Defenses DCODX provides security workshops to help your developers, security teams, and engineers to step up their application security knowledge, exploiting and fixing security issues through full hands-on trainings. ## GraphQL Security 101 ![GraphQL logo](/files/-Lq82Q2aYtH0rhF-CtO1) The workshop is meant for developers, architects and security folks. During the workshop we will learn how to setup a GraphQL project, define a schema, create Query, Mutation and Subscription for a "fake" social network. We will learn what are the main security issues to consider when developing a GraphQL application: * Introspection: information disclosure * /graphql as a single point of failure (DoS attacks) * IDOR * Broken Access control * Injections Once we get familiar with the issues, we will explain how to avoid it and/or fix it. ### Syllabus | Module | Topic | Time | | ------------------------------------- | -------------------------------------------- | ---------- | | | | | | \[1] Intro | | 30 mins | | | GraphQL introduction | | | | GraphQL vs REST API | | | | Common use cases | | | \[2] GraphQL basics | | 1 hour | | | Create a schema | | | | Define operations | | | | Query | | | | Mutation | | | | Subscription | | | | Burp and GraphQL plugins | | | | **LAB** | | | \[3] Security implications in GraphQL | | 1 hour | | | What can go wrong: intro | | | | Introspection | | | | Nested looping queries: DoS | | | | Injections | | | | Broken Access Control | | | | IDOR | | | \[4] Introspection | | 1 hour | | | What’s introspection | | | | How to use it | | | | How to abuse it | | | | How to prevent it | | | | **LAB** | | | \[5] DoS | | 1 hour | | | Nested queries | | | | Loops in schema | | | | Complexity calculation | | | | DoS: Why | | | | How to prevent it | | | | **LAB** | | | \[6] Broken Authorization and IDOR | | 1.30 hours | | | IDOR intro | | | | How to discover IDOR | | | | Introspection is our friend | | | | How to avoid it | | | | Implement correctly authorization in GraphQL | | | | **LAB** | | | \[7] Injections | | 1 hour | | | Not GraphQL issues | | | | Discover possible injections | | | | SQL injections | | | | Command injections | | | | How to prevent it | | | | **LAB** | | Labs available on Github {% embed url="" %} ## Presented at ![](/files/-M-Z94h6J0hgzEwk_osr) {% hint style="info" %} ### Interested? Contact us at {% endhint %} --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://1337.dcodx.com/trainings/graphql-hacking-and-defenses.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.