Pentesting GraphQL APIs - Speaker Deck

Tweet

Tweet

Slide 1

Slide 1 text

No content

Slide 2

Slide 2 text

No content

Slide 3

Slide 3 text

graphql { GraphQL GraphQL Architecture REST Vs GraphQL GraphQL Schema Introspection Query GraphQL Vulnerabilities Pentesting Tools GraphQL in Action !!! }

Slide 4

Slide 4 text

No content

Slide 5

Slide 5 text

No content

Slide 6

Slide 6 text

No content

Slide 7

Slide 7 text

No content

Slide 8

Slide 8 text

No content

Slide 9

Slide 9 text

Ref: https://bit.ly/3hLZNO7

Slide 10

Slide 10 text

Ref: https://bit.ly/3fBQSNk

Slide 11

Slide 11 text

No content

Slide 12

Slide 12 text

No content

Slide 13

Slide 13 text

• Query – For Retrieving data/Results, similar to GET in REST. • Mutation – For Modifications Like POST/PUT/DELETE Operations. • Subscriptions – For Events/Realtime Updates. GraphQL Schema Subscriptions (Type) - EVENTS Mutations (Type) - WRITE Query (Type) - READ

Slide 14

Slide 14 text

No content

Slide 15

Slide 15 text

No content

Slide 16

Slide 16 text

Change the POST request into GET Request. Append the payload on the Endpoint URL from below link https://pastebin.com/QyNaXVKg https://pastebin.com/dFdsTaDQ

Slide 17

Slide 17 text

No content

Slide 18

Slide 18 text

SQL Injection NoSQL Injection Access Control Related Issues. Mass Assignment IDOR Bypassing 2FA/BruteForce Attacks. DOS Attacks etc.,

Slide 19

Slide 19 text

No content

Slide 20

Slide 20 text

No content

Slide 21

Slide 21 text

No content

Slide 22

Slide 22 text

No content

Slide 23

Slide 23 text

No content

Slide 24

Slide 24 text

No content

Slide 25

Slide 25 text

No content

Slide 26

Slide 26 text

No content

Slide 27

Slide 27 text

No content