SlideShare a Scribd company logo

GraphQL Misconfiguration

Download as PPTX, PDF
H
Harshit Sengar

GraphQL Vulnerabilities

Technology
1 of 22
GraphQL Misconfiguration By - Harshit Sengar
C O N T E N T S Part 01 Part 02 GraphQL Rest vs Graphql Part 03 Terminologies Part 04 Part 05 Part 06 Endpoint & Tools Attacks Vectors Practice Labs
01 GraphQL
01 GraphQL GraphQL is a query language for your API, and a server- side runtime for executing queries by using a type system you define for your data. GraphQL isn't tied to any specific database or storage engine and is instead backed by your existing code and data. A GraphQL service is created by defining types and fields on those types, then providing functions for each field on each type.
02 Rest v/s Graphql
03 Terminologies
03 Terminologies Queries and Mutations Schema and Types Arguments Fields Variable OperationName
04 GraphQL Endpoints & Tools
04 GraphQL Endpoints & Tools • /graphql • /graphql/console/ • /graphql.php • /graphiql • /graphiql.php • ....etc, • Graphiql • Graphql Playground • Graphql Raider (Burp-Extension) • InQL (Burp-Extension) Endpoints Tools
05 Attack Vectors
Introspection Query DOS IDOR & Authorization Bypass Injections Mutation 05 Attack Vectors
05 Introspection Query { __schema { directives { name description } subscriptionType { name description } types { name description } queryType { name description } mutationType { name description } queryType { name description } } } 1. query allSchemaTypes { __schema { types { name kind description } } } 2. query availableQueries { __schema { queryType { fields { name description } } } } 3. query EnumerationValues { __type(name: "<ENUM TYPE>") { kind name description enumValues { name description } } } https://hackerone.com/reports/291531
05 DOS / Nested Queries query{ allUsers{ posts{ author{ posts{ author{ posts{ author{ posts{ author{ posts{ author{ posts{ author{ posts{ author{ posts{ author{ posts{ author{ username } } } } } } } } } } } } } } } } } } }
05 IDOR & Bypass Authorization
05 Injections • SQL Injections • Command Injections • XSS • etc.., SQL Injection
05 Mutations • SQL Injections • Command Injections • XSS • Change/Modify the Details • etc.., SQL Injection
06 Practice Labs
SKF-Labs Vuln-graphql-api 06 Practice Labs
Contact: Email: hsengar.100@gmail.com Twitter: https://www.twitter.com/sengarharshit1 Linkedin: https://www.linkedin.com/in/sengarharshit1 Medium: https://www.medium.com/@sengarharshit1 THANK YOU

Recommended

Attacking GraphQL
Attacking GraphQLAttacking GraphQL
Attacking GraphQLKavishaSheth1
 
Adding GraphQL to your existing architecture
Adding GraphQL to your existing architectureAdding GraphQL to your existing architecture
Adding GraphQL to your existing architectureSashko Stubailo
 
Modular GraphQL with Schema Stitching
Modular GraphQL with Schema StitchingModular GraphQL with Schema Stitching
Modular GraphQL with Schema StitchingSashko Stubailo
 
Why UI Developers Love GraphQL - Sashko Stubailo, Apollo/Meteor
Why UI Developers Love GraphQL - Sashko Stubailo, Apollo/MeteorWhy UI Developers Love GraphQL - Sashko Stubailo, Apollo/Meteor
Why UI Developers Love GraphQL - Sashko Stubailo, Apollo/MeteorJon Wong
 
An intro to GraphQL
An intro to GraphQLAn intro to GraphQL
An intro to GraphQLvaluebound
 
GraphQL across the stack: How everything fits together
GraphQL across the stack: How everything fits togetherGraphQL across the stack: How everything fits together
GraphQL across the stack: How everything fits togetherSashko Stubailo
 
GraphQL Introduction
GraphQL IntroductionGraphQL Introduction
GraphQL IntroductionSerge Huber
 
CONDG April 23 2020 - Baskar Rao - GraphQL
CONDG April 23 2020 - Baskar Rao - GraphQLCONDG April 23 2020 - Baskar Rao - GraphQL
CONDG April 23 2020 - Baskar Rao - GraphQLMatthew Groves
 

Recommended

Attacking GraphQL
Attacking GraphQLAttacking GraphQL
Attacking GraphQLKavishaSheth1
 
Adding GraphQL to your existing architecture
Adding GraphQL to your existing architectureAdding GraphQL to your existing architecture
Adding GraphQL to your existing architectureSashko Stubailo
 
Modular GraphQL with Schema Stitching
Modular GraphQL with Schema StitchingModular GraphQL with Schema Stitching
Modular GraphQL with Schema StitchingSashko Stubailo
 
Why UI Developers Love GraphQL - Sashko Stubailo, Apollo/Meteor
Why UI Developers Love GraphQL - Sashko Stubailo, Apollo/MeteorWhy UI Developers Love GraphQL - Sashko Stubailo, Apollo/Meteor
Why UI Developers Love GraphQL - Sashko Stubailo, Apollo/MeteorJon Wong
 
An intro to GraphQL
An intro to GraphQLAn intro to GraphQL
An intro to GraphQLvaluebound
 
GraphQL across the stack: How everything fits together
GraphQL across the stack: How everything fits togetherGraphQL across the stack: How everything fits together
GraphQL across the stack: How everything fits togetherSashko Stubailo
 
GraphQL Introduction
GraphQL IntroductionGraphQL Introduction
GraphQL IntroductionSerge Huber
 
CONDG April 23 2020 - Baskar Rao - GraphQL
CONDG April 23 2020 - Baskar Rao - GraphQLCONDG April 23 2020 - Baskar Rao - GraphQL
CONDG April 23 2020 - Baskar Rao - GraphQLMatthew Groves
 
Introduction to GraphQL
Introduction to GraphQLIntroduction to GraphQL
Introduction to GraphQLRodrigo Prates
 
GraphQL: Enabling a new generation of API developer tools
GraphQL: Enabling a new generation of API developer toolsGraphQL: Enabling a new generation of API developer tools
GraphQL: Enabling a new generation of API developer toolsSashko Stubailo
 
GraphQL
GraphQLGraphQL
GraphQLJoel Corrêa
 
GraphQL ♥︎ GraphDB
GraphQL ♥︎ GraphDBGraphQL ♥︎ GraphDB
GraphQL ♥︎ GraphDBGraphRM
 
Intro to GraphQL
Intro to GraphQL Intro to GraphQL
Intro to GraphQLRakuten Group, Inc.
 
The Apollo and GraphQL Stack
The Apollo and GraphQL StackThe Apollo and GraphQL Stack
The Apollo and GraphQL StackSashko Stubailo
 
GraphQL Search
GraphQL SearchGraphQL Search
GraphQL SearchArtem Shtatnov
 
GraphQL + relay
GraphQL + relayGraphQL + relay
GraphQL + relayCédric GILLET
 
GraphQL over REST at Reactathon 2018
GraphQL over REST at Reactathon 2018GraphQL over REST at Reactathon 2018
GraphQL over REST at Reactathon 2018Sashko Stubailo
 
GraphQL & Ratpack
GraphQL & RatpackGraphQL & Ratpack
GraphQL & RatpackMario García
 
Introduction to graphQL
Introduction to graphQLIntroduction to graphQL
Introduction to graphQLMuhilvarnan V
 
GraphQL & Relay
GraphQL & RelayGraphQL & Relay
GraphQL & RelayViacheslav Slinko
 
Graphql presentation
Graphql presentationGraphql presentation
Graphql presentationVibhor Grover
 
REST vs GraphQL
REST vs GraphQLREST vs GraphQL
REST vs GraphQLSquareboat
 
Standing out as a new grad candidate
Standing out as a new grad candidateStanding out as a new grad candidate
Standing out as a new grad candidateSashko Stubailo
 
Introduction to GraphQL
Introduction to GraphQLIntroduction to GraphQL
Introduction to GraphQLBrainhub
 
GraphQL Advanced
GraphQL AdvancedGraphQL Advanced
GraphQL AdvancedLeanIX GmbH
 
How to GraphQL
How to GraphQLHow to GraphQL
How to GraphQLTomasz Bak
 
GraphQL is new sexy
GraphQL is new sexyGraphQL is new sexy
GraphQL is new sexyITEM
 
GraphQL Fundamentals
GraphQL FundamentalsGraphQL Fundamentals
GraphQL FundamentalsVirbhadra Ankalkote
 
Getting Started with Spring for GraphQL
Getting Started with Spring for GraphQLGetting Started with Spring for GraphQL
Getting Started with Spring for GraphQLVMware Tanzu
 
Training Series: Build APIs with Neo4j GraphQL Library
Training Series: Build APIs with Neo4j GraphQL LibraryTraining Series: Build APIs with Neo4j GraphQL Library
Training Series: Build APIs with Neo4j GraphQL LibraryNeo4j
 

More Related Content

What's hot

Introduction to GraphQL
Introduction to GraphQLIntroduction to GraphQL
Introduction to GraphQLRodrigo Prates
 
GraphQL: Enabling a new generation of API developer tools
GraphQL: Enabling a new generation of API developer toolsGraphQL: Enabling a new generation of API developer tools
GraphQL: Enabling a new generation of API developer toolsSashko Stubailo
 
GraphQL ♥︎ GraphDB
GraphQL ♥︎ GraphDBGraphQL ♥︎ GraphDB
GraphQL ♥︎ GraphDBGraphRM
 
The Apollo and GraphQL Stack
The Apollo and GraphQL StackThe Apollo and GraphQL Stack
The Apollo and GraphQL StackSashko Stubailo
 
GraphQL over REST at Reactathon 2018
GraphQL over REST at Reactathon 2018GraphQL over REST at Reactathon 2018
GraphQL over REST at Reactathon 2018Sashko Stubailo
 
Introduction to graphQL
Introduction to graphQLIntroduction to graphQL
Introduction to graphQLMuhilvarnan V
 
Graphql presentation
Graphql presentationGraphql presentation
Graphql presentationVibhor Grover
 
REST vs GraphQL
REST vs GraphQLREST vs GraphQL
REST vs GraphQLSquareboat
 
Standing out as a new grad candidate
Standing out as a new grad candidateStanding out as a new grad candidate
Standing out as a new grad candidateSashko Stubailo
 
Introduction to GraphQL
Introduction to GraphQLIntroduction to GraphQL
Introduction to GraphQLBrainhub
 
GraphQL Advanced
GraphQL AdvancedGraphQL Advanced
GraphQL AdvancedLeanIX GmbH
 
How to GraphQL
How to GraphQLHow to GraphQL
How to GraphQLTomasz Bak
 
GraphQL is new sexy
GraphQL is new sexyGraphQL is new sexy
GraphQL is new sexyITEM
 

What's hot (20)

Introduction to GraphQL
Introduction to GraphQLIntroduction to GraphQL
Introduction to GraphQL
 
GraphQL: Enabling a new generation of API developer tools
GraphQL: Enabling a new generation of API developer toolsGraphQL: Enabling a new generation of API developer tools
GraphQL: Enabling a new generation of API developer tools
 
GraphQL
GraphQLGraphQL
GraphQL
 
GraphQL ♥︎ GraphDB
GraphQL ♥︎ GraphDBGraphQL ♥︎ GraphDB
GraphQL ♥︎ GraphDB
 
Intro to GraphQL
Intro to GraphQL Intro to GraphQL
Intro to GraphQL
 
The Apollo and GraphQL Stack
The Apollo and GraphQL StackThe Apollo and GraphQL Stack
The Apollo and GraphQL Stack
 
GraphQL Search
GraphQL SearchGraphQL Search
GraphQL Search
 
GraphQL + relay
GraphQL + relayGraphQL + relay
GraphQL + relay
 
GraphQL over REST at Reactathon 2018
GraphQL over REST at Reactathon 2018GraphQL over REST at Reactathon 2018
GraphQL over REST at Reactathon 2018
 
GraphQL & Ratpack
GraphQL & RatpackGraphQL & Ratpack
GraphQL & Ratpack
 
Introduction to graphQL
Introduction to graphQLIntroduction to graphQL
Introduction to graphQL
 
GraphQL & Relay
GraphQL & RelayGraphQL & Relay
GraphQL & Relay
 
Graphql presentation
Graphql presentationGraphql presentation
Graphql presentation
 
REST vs GraphQL
REST vs GraphQLREST vs GraphQL
REST vs GraphQL
 
Standing out as a new grad candidate
Standing out as a new grad candidateStanding out as a new grad candidate
Standing out as a new grad candidate
 
Introduction to GraphQL
Introduction to GraphQLIntroduction to GraphQL
Introduction to GraphQL
 
GraphQL Advanced
GraphQL AdvancedGraphQL Advanced
GraphQL Advanced
 
How to GraphQL
How to GraphQLHow to GraphQL
How to GraphQL
 
GraphQL is new sexy
GraphQL is new sexyGraphQL is new sexy
GraphQL is new sexy
 
GraphQL Fundamentals
GraphQL FundamentalsGraphQL Fundamentals
GraphQL Fundamentals
 

Similar to GraphQL Misconfiguration

Getting Started with Spring for GraphQL
Getting Started with Spring for GraphQLGetting Started with Spring for GraphQL
Getting Started with Spring for GraphQLVMware Tanzu
 
Training Series: Build APIs with Neo4j GraphQL Library
Training Series: Build APIs with Neo4j GraphQL LibraryTraining Series: Build APIs with Neo4j GraphQL Library
Training Series: Build APIs with Neo4j GraphQL LibraryNeo4j
 
GraphQL_devoxx_2023.pptx
GraphQL_devoxx_2023.pptxGraphQL_devoxx_2023.pptx
GraphQL_devoxx_2023.pptxSoham Dasgupta
 
Tutorial: Building a GraphQL API in PHP
Tutorial: Building a GraphQL API in PHPTutorial: Building a GraphQL API in PHP
Tutorial: Building a GraphQL API in PHPAndrew Rota
 
GraphQL API Gateway and microservices
GraphQL API Gateway and microservicesGraphQL API Gateway and microservices
GraphQL API Gateway and microservicesMohammed Shaban
 
How easy (or hard) it is to monitor your graph ql service performance
How easy (or hard) it is to monitor your graph ql service performanceHow easy (or hard) it is to monitor your graph ql service performance
How easy (or hard) it is to monitor your graph ql service performanceLuca Mattia Ferrari
 
An oss api layer for your cassandra
An oss api layer for your cassandraAn oss api layer for your cassandra
An oss api layer for your cassandraCédrick Lunven
 
GraphQL-ify your API - JFall 2022
GraphQL-ify your API - JFall 2022GraphQL-ify your API - JFall 2022
GraphQL-ify your API - JFall 2022Soham Dasgupta
 
DEVOXX UK 2018 - GraphQL as an alternative approach to REST
DEVOXX UK 2018 - GraphQL as an alternative approach to RESTDEVOXX UK 2018 - GraphQL as an alternative approach to REST
DEVOXX UK 2018 - GraphQL as an alternative approach to RESTluisw19
 
Training Week: GraphQL 2022
Training Week: GraphQL 2022Training Week: GraphQL 2022
Training Week: GraphQL 2022Neo4j
 
Exposing GraphQLs as Managed APIs
Exposing GraphQLs as Managed APIsExposing GraphQLs as Managed APIs
Exposing GraphQLs as Managed APIsWSO2
 
Building Fullstack Serverless GraphQL APIs In The Cloud
Building Fullstack Serverless GraphQL APIs In The CloudBuilding Fullstack Serverless GraphQL APIs In The Cloud
Building Fullstack Serverless GraphQL APIs In The CloudNordic APIs
 
What could go wrong with a GraphQL query and can OpenTelemetry help? KubeCon...
What could go wrong with a GraphQL query and can OpenTelemetry help? KubeCon...What could go wrong with a GraphQL query and can OpenTelemetry help? KubeCon...
What could go wrong with a GraphQL query and can OpenTelemetry help? KubeCon...SonjaChevre
 
GraphQL the holy contract between client and server
GraphQL the holy contract between client and serverGraphQL the holy contract between client and server
GraphQL the holy contract between client and serverPavel Chertorogov
 
Implementing OpenAPI and GraphQL services with gRPC
Implementing OpenAPI and GraphQL services with gRPCImplementing OpenAPI and GraphQL services with gRPC
Implementing OpenAPI and GraphQL services with gRPCTim Burks
 
Simplify Access to Data from Pivotal GemFire Using the GraphQL (G2QL) Extension
Simplify Access to Data from Pivotal GemFire Using the GraphQL (G2QL) ExtensionSimplify Access to Data from Pivotal GemFire Using the GraphQL (G2QL) Extension
Simplify Access to Data from Pivotal GemFire Using the GraphQL (G2QL) ExtensionVMware Tanzu
 
Marco Liberati - Graph analytics
Marco Liberati - Graph analyticsMarco Liberati - Graph analytics
Marco Liberati - Graph analyticsCodemotion
 

Similar to GraphQL Misconfiguration (20)

Getting Started with Spring for GraphQL
Getting Started with Spring for GraphQLGetting Started with Spring for GraphQL
Getting Started with Spring for GraphQL
 
Training Series: Build APIs with Neo4j GraphQL Library
Training Series: Build APIs with Neo4j GraphQL LibraryTraining Series: Build APIs with Neo4j GraphQL Library
Training Series: Build APIs with Neo4j GraphQL Library
 
GraphQL_devoxx_2023.pptx
GraphQL_devoxx_2023.pptxGraphQL_devoxx_2023.pptx
GraphQL_devoxx_2023.pptx
 
Tutorial: Building a GraphQL API in PHP
Tutorial: Building a GraphQL API in PHPTutorial: Building a GraphQL API in PHP
Tutorial: Building a GraphQL API in PHP
 
GraphQL API Gateway and microservices
GraphQL API Gateway and microservicesGraphQL API Gateway and microservices
GraphQL API Gateway and microservices
 
How easy (or hard) it is to monitor your graph ql service performance
How easy (or hard) it is to monitor your graph ql service performanceHow easy (or hard) it is to monitor your graph ql service performance
How easy (or hard) it is to monitor your graph ql service performance
 
An oss api layer for your cassandra
An oss api layer for your cassandraAn oss api layer for your cassandra
An oss api layer for your cassandra
 
GraphQL-ify your API - JFall 2022
GraphQL-ify your API - JFall 2022GraphQL-ify your API - JFall 2022
GraphQL-ify your API - JFall 2022
 
DEVOXX UK 2018 - GraphQL as an alternative approach to REST
DEVOXX UK 2018 - GraphQL as an alternative approach to RESTDEVOXX UK 2018 - GraphQL as an alternative approach to REST
DEVOXX UK 2018 - GraphQL as an alternative approach to REST
 
Graphql
GraphqlGraphql
Graphql
 
Training Week: GraphQL 2022
Training Week: GraphQL 2022Training Week: GraphQL 2022
Training Week: GraphQL 2022
 
Exposing GraphQLs as Managed APIs
Exposing GraphQLs as Managed APIsExposing GraphQLs as Managed APIs
Exposing GraphQLs as Managed APIs
 
Building Fullstack Serverless GraphQL APIs In The Cloud
Building Fullstack Serverless GraphQL APIs In The CloudBuilding Fullstack Serverless GraphQL APIs In The Cloud
Building Fullstack Serverless GraphQL APIs In The Cloud
 
What could go wrong with a GraphQL query and can OpenTelemetry help? KubeCon...
What could go wrong with a GraphQL query and can OpenTelemetry help? KubeCon...What could go wrong with a GraphQL query and can OpenTelemetry help? KubeCon...
What could go wrong with a GraphQL query and can OpenTelemetry help? KubeCon...
 
GraphQL
GraphQLGraphQL
GraphQL
 
GraphQL the holy contract between client and server
GraphQL the holy contract between client and serverGraphQL the holy contract between client and server
GraphQL the holy contract between client and server
 
Implementing OpenAPI and GraphQL services with gRPC
Implementing OpenAPI and GraphQL services with gRPCImplementing OpenAPI and GraphQL services with gRPC
Implementing OpenAPI and GraphQL services with gRPC
 
Simplify Access to Data from Pivotal GemFire Using the GraphQL (G2QL) Extension
Simplify Access to Data from Pivotal GemFire Using the GraphQL (G2QL) ExtensionSimplify Access to Data from Pivotal GemFire Using the GraphQL (G2QL) Extension
Simplify Access to Data from Pivotal GemFire Using the GraphQL (G2QL) Extension
 
Marco Liberati - Graph analytics
Marco Liberati - Graph analyticsMarco Liberati - Graph analytics
Marco Liberati - Graph analytics
 
GraphQL-ify your APIs
GraphQL-ify your APIsGraphQL-ify your APIs
GraphQL-ify your APIs
 

Recently uploaded

08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking MenDelhi Call girls
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationRadu Cotescu
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024The Digital Insurer
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Enterprise Knowledge
 
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024Results
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processorsdebabhi2
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slidespraypatel2
 
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...gurkirankumar98700
 
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxKatpro Technologies
 
Developing An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of BrazilDeveloping An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of BrazilV3cube
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘RTylerCroy
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Neo4j
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEarley Information Science
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfEnterprise Knowledge
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking MenDelhi Call girls
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonAnna Loughnan Colquhoun
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Scriptwesley chun
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountPuma Security, LLC
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsEnterprise Knowledge
 

Recently uploaded (20)

08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
 
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slides
 
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
 
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
 
Developing An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of BrazilDeveloping An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of Brazil
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path Mount
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
 

GraphQL Misconfiguration

  • 2. C O N T E N T S Part 01 Part 02 GraphQL Rest vs Graphql Part 03 Terminologies Part 04 Part 05 Part 06 Endpoint & Tools Attacks Vectors Practice Labs
  • 4. 01 GraphQL GraphQL is a query language for your API, and a server- side runtime for executing queries by using a type system you define for your data. GraphQL isn't tied to any specific database or storage engine and is instead backed by your existing code and data. A GraphQL service is created by defining types and fields on those types, then providing functions for each field on each type.
  • 6.
  • 7.
  • 8.
  • 10. 03 Terminologies Queries and Mutations Schema and Types Arguments Fields Variable OperationName
  • 12. 04 GraphQL Endpoints & Tools • /graphql • /graphql/console/ • /graphql.php • /graphiql • /graphiql.php • ....etc, • Graphiql • Graphql Playground • Graphql Raider (Burp-Extension) • InQL (Burp-Extension) Endpoints Tools
  • 14. Introspection Query DOS IDOR & Authorization Bypass Injections Mutation 05 Attack Vectors
  • 15. 05 Introspection Query { __schema { directives { name description } subscriptionType { name description } types { name description } queryType { name description } mutationType { name description } queryType { name description } } } 1. query allSchemaTypes { __schema { types { name kind description } } } 2. query availableQueries { __schema { queryType { fields { name description } } } } 3. query EnumerationValues { __type(name: "<ENUM TYPE>") { kind name description enumValues { name description } } } https://hackerone.com/reports/291531
  • 16. 05 DOS / Nested Queries query{ allUsers{ posts{ author{ posts{ author{ posts{ author{ posts{ author{ posts{ author{ posts{ author{ posts{ author{ posts{ author{ posts{ author{ username } } } } } } } } } } } } } } } } } } }
  • 17. 05 IDOR & Bypass Authorization
  • 18. 05 Injections • SQL Injections • Command Injections • XSS • etc.., SQL Injection
  • 19. 05 Mutations • SQL Injections • Command Injections • XSS • Change/Modify the Details • etc.., SQL Injection
  • 22. Contact: Email: hsengar.100@gmail.com Twitter: https://www.twitter.com/sengarharshit1 Linkedin: https://www.linkedin.com/in/sengarharshit1 Medium: https://www.medium.com/@sengarharshit1 THANK YOU