Finding Your Next Bug: GraphQL
Рет қаралды 23,216
Күн бұрынGraphQL is becoming the next big API technology for developers, but with new technology comes new risk, and for us that means bounties! In this video, I cover everything GraphQL, from how it works to what kind of bugs are common. Next time we're going to expand on this and I'll show you how to do this live!
Did you know this episode was sponsored by Intigriti? Sign up with my link go.intigriti.com/katie I'm so pleased with everyone's positive response to the Intigriti sponsorship and I'm so pleased you folks are finding bugs and even finding your first bugs! Thank you for being awesome!
APIs continue to be one of my favourite things to hack, and in fact, after I learned GraphQL a week or so later I had my first bug in GraphQL, nothing too interesting just an IDOR. I was shocked by how easy it was! The syntax really does put people off but there are so many bugs waiting to be found!
- Links -
- GraphQL Learn: graphql.org/learn/queries/
- Introspection / general payloads: github.com/swisskyrepo/Payloa...
- GraphQL Voyager: github.com/APIs-guru/graphql-...
- GraphQL IDE: github.com/andev-software/gra...
- Altair: altair.sirmuel.design
- InQL: github.com/doyensec/inql
- GraphQL Map: github.com/swisskyrepo/GraphQ...
- graphql-path-enum: gitlab.com/dee-see/graphql-pa...
- My video on Finding Bugs Using APIs: • Finding Your First Bug...
- My video on the Top 10 API Bugs: • Top 10 API Bugs (and W...
- Farah's GraphQL Video: • HACKING GraphQL FOR BE...
- A staff member with no permissions can edit Store Customer Email - $1,500: hackerone.com/reports/980511
- H1514 [beerify.shopifycloud.com] GraphQL discloses internal beer consumption - $802.20: hackerone.com/reports/419883
- latest_activity_id and latest_activity_at may disclose information about internal activities to unauthorized users - $1,000: hackerone.com/reports/724944
- Hacktivity of a private program visible to banned user if he gets invited to a program by hackbot - $500: hackerone.com/reports/357485
- Disclosure of `payment_transactions` for programs via GraphQL query - $2,500: hackerone.com/reports/707433
- Insufficient Type Check leading to Developer ability to delete Project, Repository, Group, ... - $5,000: hackerone.com/reports/960244 / hackerone.com/reports/858671
- Hacker101 GraphQL levels: www.hackerone.com/blog/graphq...
- NoSQL Injection: www.petecorey.com/blog/2017/06...
- HackTricks - GraphQL: book.hacktricks.xyz/pentestin...
- GraphQL Security Overview: blog.doyensec.com/2018/05/17/...
- Social Media -
Discord: insiderphd.dev/discord
Patreon: / insiderphd
Twitter: / insiderphd
- Patreon Shoutouts -
Yagami Panda
Niklas
Penny
Wardell Castles
strongbeard
Gynvael
Ram
James Clee
- Timestamps -
0:00 What is GraphQL and Why Hack it?
9:28 Writing Queries/Mutations and How They Work
22:56 Introspection and Recon
32:28 GraphQL Tools
36:18 GraphQL Bugs In The Wild
45:43 How to Hack GraphQL APIs
@kabirsuda 3 жыл бұрын
Perfect explanation!👏🏻This video cleared my brain about graphQL... Thanks Katie 🔥
@JL-ud6xx 2 жыл бұрын
Thank you for clearing my concept. Will listen to your practical video of it. Will help me in my work!!!!
@fredomana7183 3 жыл бұрын
You’re the best. Keep doing what you’re doing. Much love from San Diego
@luckythandel 3 жыл бұрын
Perfect explanation, keep making such videos plz. we all support you, katie.
@lifeofsq5653 8 ай бұрын
Thanks for sharing your knowledge about GraphQL. Its really helpful for beginners in graphl vulns scanning
@1990shahid 3 жыл бұрын
amazing lecture!! - thank you for creating this. I'm new to this bug hunting so doing the hacker101 challenges and stuck on this graphQL nonsense :)
@mehulverma9496 Жыл бұрын
Hey~~ I got Information disclosure and got 6 redbull trays thank you!!
@isiraadithya 3 жыл бұрын
She is back!!!!
@dibyanshusah117 3 жыл бұрын
Love.. Your.. Content.. Thank you.. ❤❤👍👍☺
@homeofcreation 2 жыл бұрын
As a Soap developer, having WS-Security this give me the creeps. As a bounty hunter this brings me joy!
@Nop1337 2 жыл бұрын
thank you so much!
@faique2995 3 жыл бұрын
Best teacher to learn web application hacking
@InsiderPhD 3 жыл бұрын
😁😁😁😁 I appreciate it!
@mohammedsabbirahmed3015 3 жыл бұрын
Hey katie. Awesome methodology and video as always but I think it would be wonderful if you could a takeaways slide at the end of the presentation . I think it would help greatly in effective note taking . Because whenever i watch your video i try to take notes and understand some things from it but it is not always possible to grasp every tips and tricks you provide in just one watch. So then i do some more research on the topic and relate that to my notetaking and still there remain certain things that im not able to properly grasp so i have to watch the whole video all over again to find that point where you were describing the desired topic and try to understand it more. And so until im able to fully understand all the note taking ive done it takes me to watch your videos like 4/5 times . So i think it would be really great if you could do just one more slide on the takeaways and it would really mitigate this problem i have and also help me to be efficient in taking notes . Thank you 😊
@InsiderPhD 3 жыл бұрын
Thank you for the feedback I will take it onboard and do a summary at the end :)
@mohammedsabbirahmed3015 3 жыл бұрын
@@InsiderPhD you are most welcome katie 🥰❤️❤️
@kira_io 3 жыл бұрын
Why am i jealous of a youtube video wtf. I hope i meet someone who pays as much attention to me as you do to graphql lectures.
@mohammedsabbirahmed3015 3 жыл бұрын
@@kira_io #katiehax 🙃
@kira_io 3 жыл бұрын
@@mohammedsabbirahmed3015 😳
@MultiJojomaster 3 жыл бұрын
Hey, I'd like to ask here since I'm a newbie to bug bounties.. What does it mean when a company states, that SCANNERS ARE NOT ALLOWED? Does it mean I can't use stuff like nmap, sqlmap, xsstriker etc? So I basically have to find all the bugs manually? Thanks in advance
@InsiderPhD 3 жыл бұрын
It means you can’t run a bunch of automated scanners, nmap would probably be disallowed but sqlmap and XSStrike (assuming you were running it on one endpoint) would be. They just don’t want a bunch of requests that clog up a service for legitimate users. Or they want real security issues rather than best practice which scanner often find.
@hirthicshyam9290 3 жыл бұрын
Do live bug Hunting
@UsamaAli-kr2cw Жыл бұрын
Your content is amazing but please try to make small videos in a playlist manner.
@shrirangkahale 2 жыл бұрын
Rewatching this video now.. apparently I forgot nearly everything :P
@abhhibirdawade9657 3 жыл бұрын
Hey Katie
@NotToBeTooTakenSeriously 3 ай бұрын
how do i get the introspection?
@InsiderPhD 3 ай бұрын
Find a graphic endpoint and use the introspection query
@ca7986 3 жыл бұрын
❤️
@sexayboiee 3 жыл бұрын
dude its like ads every 3 minutes, great content though.
@InsiderPhD 3 жыл бұрын
I’m so sorry it’s KZfaq adding them in automatically I’ve turned them off now and hopefully for all future videos!
@rubena1720 3 жыл бұрын
your videos are nice, can you please teach everyone about subdomain takeover? -thanks
@jaeger809 3 жыл бұрын
Hey i tried to find bugs many time. I can't even find a single bug. 😭
@jaeger809 3 жыл бұрын
@ahmad.mansour Mansour NO.
@mymothermom4858 3 жыл бұрын
Hi kitty i really need your help where can i contact you i just need 5min please
@InsiderPhD 3 жыл бұрын
Discord! I’m pretty active and if I’m not around someone else will try to help you
@mymothermom4858 3 жыл бұрын
@@InsiderPhD give me the link please
@malikimranawan3762 3 жыл бұрын
Hello mam
@CanaaniteRanger Жыл бұрын
Is this information still valid nowadays?!! (It is two years since this video was posted) ... and does those vulnerabilities still exists in the wild?! ... thank you
@InsiderPhD Жыл бұрын
Yup, actually even more common now as more companies have adopted this technology!
@CanaaniteRanger Жыл бұрын
@@InsiderPhD Thank you for answering ... and I would like to say "You are an awesome person" :-)
@rajkumar-vl7il 3 жыл бұрын
Hey Katie I loss my laptop (stolen) I may miss your lessons but I was hoping I get one soon ....
@InsiderPhD 3 жыл бұрын
Aww I’m sorry to hear that I know it sucks to lose your computer. I saved up for months to get my laptop and I can say I’d be absolutely devastated if it was stolen. Don’t worry too much about missing my content, it’ll all be here!
@rajkumar-vl7il 3 жыл бұрын
@@InsiderPhD Yes Dear my Valuable data is Lost ,😔 Hope 2021 gives something .....
@FrenchPirate83 3 жыл бұрын
Nice video, but loud ads every 2 minutes... less happy about that.
@InsiderPhD 3 жыл бұрын
Ugh, sorry, I must have forgotten to turn them off, they are so annoying, youtube puts them on by default and they play ALL the time, despite me turning off midrolls
OWASP London
Рет қаралды 3,5 М.
David Bombal
Рет қаралды 55 М.