REST in Peace: Abusing GraphQL to Attack Underlying Infrastructure

Presented at DerbyCon 9.0 Finish Line (2019), Sept. 7, 2019, 1 p.m. (45 minutes).

GraphQL is a query language for APIs set to replace RESTful architecture. The use of this technology has achieved rapid adoption and is now leveraged by companies such as GitHub, Credit Karma, and PayPal. Companies such as Hacker One and New Relic have suffered from critical vulnerabilities hidden within GraphQL endpoints. In this talk we will learn enough about GraphQL to be dangerous. Demonstrate how to use the technology’s intricacies against itself while taking advantage of implementation errors and misconfigurations. Examine GraphQL specific attacks as well as tried and true techniques adapted to fit into the GraphQL context. Then walk through how to carry out these attacks efficiently and effectively, introducing a tool to help automate and streamline the process.


Presenters:

  • Matthew Szymanski
    Matthew Szymanski is a Senior Security Engineer specializing in Application Security. Passionate about AppSec, he leverages over a decade of experience as a programmer to discover and help remediate vulnerabilities. He has developed and taught secure coding workshops, mentored Jr Security Engineers and Developers as well as presented talks to increase security awareness. As a co-organizer of the CLT Hacking and Infosec Charlotte meetup group, Matt plans to continue increasing community awareness around Information Security.

Links:

Similar Presentations: