Рет қаралды 23,216
GraphQL is becoming the next big API technology for developers, but with new technology comes new risk, and for us that means bounties! In this video, I cover everything GraphQL, from how it works to what kind of bugs are common. Next time we're going to expand on this and I'll show you how to do this live!
Did you know this episode was sponsored by Intigriti? Sign up with my link go.intigriti.com/katie I'm so pleased with everyone's positive response to the Intigriti sponsorship and I'm so pleased you folks are finding bugs and even finding your first bugs! Thank you for being awesome!
APIs continue to be one of my favourite things to hack, and in fact, after I learned GraphQL a week or so later I had my first bug in GraphQL, nothing too interesting just an IDOR. I was shocked by how easy it was! The syntax really does put people off but there are so many bugs waiting to be found!
- Links -
- GraphQL Learn: graphql.org/learn/queries/
- Introspection / general payloads: github.com/swisskyrepo/Payloa...
- GraphQL Voyager: github.com/APIs-guru/graphql-...
- GraphQL IDE: github.com/andev-software/gra...
- Altair: altair.sirmuel.design
- InQL: github.com/doyensec/inql
- GraphQL Map: github.com/swisskyrepo/GraphQ...
- graphql-path-enum: gitlab.com/dee-see/graphql-pa...
- My video on Finding Bugs Using APIs: • Finding Your First Bug...
- My video on the Top 10 API Bugs: • Top 10 API Bugs (and W...
- Farah's GraphQL Video: • HACKING GraphQL FOR BE...
- A staff member with no permissions can edit Store Customer Email - $1,500: hackerone.com/reports/980511
- H1514 [beerify.shopifycloud.com] GraphQL discloses internal beer consumption - $802.20: hackerone.com/reports/419883
- latest_activity_id and latest_activity_at may disclose information about internal activities to unauthorized users - $1,000: hackerone.com/reports/724944
- Hacktivity of a private program visible to banned user if he gets invited to a program by hackbot - $500: hackerone.com/reports/357485
- Disclosure of `payment_transactions` for programs via GraphQL query - $2,500: hackerone.com/reports/707433
- Insufficient Type Check leading to Developer ability to delete Project, Repository, Group, ... - $5,000: hackerone.com/reports/960244 / hackerone.com/reports/858671
- Hacker101 GraphQL levels: www.hackerone.com/blog/graphq...
- NoSQL Injection: www.petecorey.com/blog/2017/06...
- HackTricks - GraphQL: book.hacktricks.xyz/pentestin...
- GraphQL Security Overview: blog.doyensec.com/2018/05/17/...
- Social Media -
Discord: insiderphd.dev/discord
Patreon: / insiderphd
Twitter: / insiderphd
- Patreon Shoutouts -
Yagami Panda
Niklas
Penny
Wardell Castles
strongbeard
Gynvael
Ram
James Clee
- Timestamps -
0:00 What is GraphQL and Why Hack it?
9:28 Writing Queries/Mutations and How They Work
22:56 Introspection and Recon
32:28 GraphQL Tools
36:18 GraphQL Bugs In The Wild
45:43 How to Hack GraphQL APIs