Offensive GraphQL API Exploitation

Presented at Diana Initiative 2020 Virtual, Aug. 22, 2020, noon (45 minutes).

Nowadays, the GraphQL technology is used by some of the big tech giants like Facebook, GitHub, Pinterest, Twitter, HackerOne. The main reason behind that is that GraphQL gives enormous power to clients. But, with great power come great responsibilities. Since developers are in charge of implementing access control and other security measures, applications are prone to classical web application vulnerabilities like Broken Access Controls, Insecure Direct Object References, Cross Site Scripting (XSS) and Classic Injection Bugs. This talk will be explaining the common security impacts faced while using the Graphql APIs and how an attacker makes use of it to attack the underlying infrastructure and ex-filtrate sensitive data from an organisation.

Presenters:

  • Arun S - IBM India Software Labs
    Arun works as a Senior Security Consultant @ IBM India Software Labs, with more than 6 years of experience. He is a chapter leader for the null open source security community in Bangalore, also conducted training and workshops at c0c0n and BSides Delhi security conferences. Arun is a cobalt core team member with Cobalt.io, and He is an active member and contributor at various security communities like BSides Bangalore, Null & OWASP and holds various global certifications, such as OSCP, eWPT, ECSA etc.,

Links:

Similar Presentations: