Abstract image of a woman sitting on books and studying on a laptop

GraphQL Misconfiguration

Download as PPTX, PDF
H
Harshit Sengar

This document discusses GraphQL misconfigurations and vulnerabilities. It introduces GraphQL and compares it to REST APIs. It then covers GraphQL terminologies, endpoints, tools, common attack vectors like introspection queries, denial of service attacks, IDOR, injections, and mutations. It concludes with recommendations for practice labs to test GraphQL vulnerabilities.

Technology
Related topics:
Information Security
1 of 22
Download to read offline
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
GraphQL Misconfiguration By - Harshit Sengar
C O N T E N T S Part 01 Part 02 GraphQL Rest vs Graphql Part 03 Terminologies Part 04 Part 05 Part 06 Endpoint & Tools Attacks Vectors Practice Labs
01 GraphQL
01 GraphQL GraphQL is a query language for your API, and a server- side runtime for executing queries by using a type system you define for your data. GraphQL isn't tied to any specific database or storage engine and is instead backed by your existing code and data. A GraphQL service is created by defining types and fields on those types, then providing functions for each field on each type.
02 Rest v/s Graphql
GraphQL Misconfiguration
GraphQL Misconfiguration
GraphQL Misconfiguration
03 Terminologies
03 Terminologies Queries and Mutations Schema and Types Arguments Fields Variable OperationName
04 GraphQL Endpoints & Tools
04 GraphQL Endpoints & Tools • /graphql • /graphql/console/ • /graphql.php • /graphiql • /graphiql.php • ....etc, • Graphiql • Graphql Playground • Graphql Raider (Burp-Extension) • InQL (Burp-Extension) Endpoints Tools
05 Attack Vectors
Introspection Query DOS IDOR & Authorization Bypass Injections Mutation 05 Attack Vectors
05 Introspection Query { __schema { directives { name description } subscriptionType { name description } types { name description } queryType { name description } mutationType { name description } queryType { name description } } } 1. query allSchemaTypes { __schema { types { name kind description } } } 2. query availableQueries { __schema { queryType { fields { name description } } } } 3. query EnumerationValues { __type(name: "<ENUM TYPE>") { kind name description enumValues { name description } } } https://hackerone.com/reports/291531
05 DOS / Nested Queries query{ allUsers{ posts{ author{ posts{ author{ posts{ author{ posts{ author{ posts{ author{ posts{ author{ posts{ author{ posts{ author{ posts{ author{ username } } } } } } } } } } } } } } } } } } }
05 IDOR & Bypass Authorization
05 Injections • SQL Injections • Command Injections • XSS • etc.., SQL Injection
05 Mutations • SQL Injections • Command Injections • XSS • Change/Modify the Details • etc.., SQL Injection
06 Practice Labs
SKF-Labs Vuln-graphql-api 06 Practice Labs
Contact: Email: hsengar.100@gmail.com Twitter: https://www.twitter.com/sengarharshit1 Linkedin: https://www.linkedin.com/in/sengarharshit1 Medium: https://www.medium.com/@sengarharshit1 THANK YOU

More Related Content

PPTX
Attacking GraphQL
KavishaSheth1
 
PDF
Adding GraphQL to your existing architecture
Sashko Stubailo
 
PDF
Modular GraphQL with Schema Stitching
Sashko Stubailo
 
PDF
Why UI Developers Love GraphQL - Sashko Stubailo, Apollo/Meteor
Jon Wong
 
PPTX
An intro to GraphQL
valuebound
 
PDF
GraphQL across the stack: How everything fits together
Sashko Stubailo
 
PPTX
GraphQL Introduction
Serge Huber
 
PPTX
CONDG April 23 2020 - Baskar Rao - GraphQL
Matthew Groves
 
Attacking GraphQL
KavishaSheth1
 
Adding GraphQL to your existing architecture
Sashko Stubailo
 
Modular GraphQL with Schema Stitching
Sashko Stubailo
 
Why UI Developers Love GraphQL - Sashko Stubailo, Apollo/Meteor
Jon Wong
 
An intro to GraphQL
valuebound
 
GraphQL across the stack: How everything fits together
Sashko Stubailo
 
GraphQL Introduction
Serge Huber
 
CONDG April 23 2020 - Baskar Rao - GraphQL
Matthew Groves
 

What's hot (20)

PPTX
Introduction to GraphQL
Rodrigo Prates
 
PDF
GraphQL: Enabling a new generation of API developer tools
Sashko Stubailo
 
PDF
GraphQL
Joel Corrêa
 
PDF
GraphQL ♥︎ GraphDB
GraphRM
 
PDF
Intro to GraphQL
Rakuten Group, Inc.
 
PDF
The Apollo and GraphQL Stack
Sashko Stubailo
 
PDF
GraphQL Search
Artem Shtatnov
 
PDF
GraphQL + relay
Cédric GILLET
 
PDF
GraphQL over REST at Reactathon 2018
Sashko Stubailo
 
PDF
GraphQL & Ratpack
Mario García
 
PPTX
Introduction to graphQL
Muhilvarnan V
 
PDF
GraphQL & Relay
Viacheslav Slinko
 
PPT
Graphql presentation
Vibhor Grover
 
PDF
REST vs GraphQL
Squareboat
 
PDF
Standing out as a new grad candidate
Sashko Stubailo
 
PDF
Introduction to GraphQL
Brainhub
 
PDF
GraphQL Advanced
LeanIX GmbH
 
PDF
How to GraphQL
Tomasz Bak
 
PPTX
GraphQL is new sexy
ITEM
 
PDF
GraphQL Fundamentals
Virbhadra Ankalkote
 
Introduction to GraphQL
Rodrigo Prates
 
GraphQL: Enabling a new generation of API developer tools
Sashko Stubailo
 
GraphQL
Joel Corrêa
 
GraphQL ♥︎ GraphDB
GraphRM
 
Intro to GraphQL
Rakuten Group, Inc.
 
The Apollo and GraphQL Stack
Sashko Stubailo
 
GraphQL Search
Artem Shtatnov
 
GraphQL + relay
Cédric GILLET
 
GraphQL over REST at Reactathon 2018
Sashko Stubailo
 
GraphQL & Ratpack
Mario García
 
Introduction to graphQL
Muhilvarnan V
 
GraphQL & Relay
Viacheslav Slinko
 
Graphql presentation
Vibhor Grover
 
REST vs GraphQL
Squareboat
 
Standing out as a new grad candidate
Sashko Stubailo
 
Introduction to GraphQL
Brainhub
 
GraphQL Advanced
LeanIX GmbH
 
How to GraphQL
Tomasz Bak
 
GraphQL is new sexy
ITEM
 
GraphQL Fundamentals
Virbhadra Ankalkote
 
Ad

Similar to GraphQL Misconfiguration (20)

PPT
Pentest Application With GraphQL | Null Bangalore Meetup
Divyanshu
 
PPTX
GraphQL Introduction with Spring Boot
vipin kumar
 
PDF
Attacking and defending GraphQL applications: a hands-on approach
Davide Cioccia
 
PPTX
Working and Attacking GraphQL APIs vs Rest API
Matrix823409
 
PDF
GraphQL Bangkok meetup 5.0
Tobias Meixner
 
PDF
Tutorial: Building a GraphQL API in PHP
Andrew Rota
 
PPTX
Shift Remote: WEB - GraphQL and React – Quick Start - Dubravko Bogovic (Infobip)
Shift Conference
 
PDF
Avoiding GraphQL insecurities with OWASP SKF - OWASP HU meetup
Davide Cioccia
 
PDF
GraphQL the holy contract between client and server
Pavel Chertorogov
 
PDF
Spring GraphQL
VMware Tanzu
 
PDF
APIsecure 2023 - Learn how to attack and mitigate vulnerabilities in GraphQL,...
apidays
 
PPTX
Introduction to Graph QL
Deepak More
 
PPTX
Introduction to GraphQL Presentation.pptx
Knoldus Inc.
 
PDF
PHP, the GraphQL ecosystem and GraphQLite
JEAN-GUILLAUME DUJARDIN
 
PDF
20170624 GraphQL Presentation
Martin Heidegger
 
PDF
InterCon 2017 - Tudo o que você quer saber sobre GraphQL - Ubiratan Soares
iMasters
 
PPTX
Introduction to GraphQL
Bhargav Anadkat
 
PDF
GraphQL as an alternative approach to REST (as presented at Java2Days/CodeMon...
luisw19
 
PDF
Marco Liberati - Graph analytics
Codemotion
 
PPTX
Taking Control of your Data with GraphQL
Vinci Rufus
 
Pentest Application With GraphQL | Null Bangalore Meetup
Divyanshu
 
GraphQL Introduction with Spring Boot
vipin kumar
 
Attacking and defending GraphQL applications: a hands-on approach
Davide Cioccia
 
Working and Attacking GraphQL APIs vs Rest API
Matrix823409
 
GraphQL Bangkok meetup 5.0
Tobias Meixner
 
Tutorial: Building a GraphQL API in PHP
Andrew Rota
 
Shift Remote: WEB - GraphQL and React – Quick Start - Dubravko Bogovic (Infobip)
Shift Conference
 
Avoiding GraphQL insecurities with OWASP SKF - OWASP HU meetup
Davide Cioccia
 
GraphQL the holy contract between client and server
Pavel Chertorogov
 
Spring GraphQL
VMware Tanzu
 
APIsecure 2023 - Learn how to attack and mitigate vulnerabilities in GraphQL,...
apidays
 
Introduction to Graph QL
Deepak More
 
Introduction to GraphQL Presentation.pptx
Knoldus Inc.
 
PHP, the GraphQL ecosystem and GraphQLite
JEAN-GUILLAUME DUJARDIN
 
20170624 GraphQL Presentation
Martin Heidegger
 
InterCon 2017 - Tudo o que você quer saber sobre GraphQL - Ubiratan Soares
iMasters
 
Introduction to GraphQL
Bhargav Anadkat
 
GraphQL as an alternative approach to REST (as presented at Java2Days/CodeMon...
luisw19
 
Marco Liberati - Graph analytics
Codemotion
 
Taking Control of your Data with GraphQL
Vinci Rufus
 
Ad

Recently uploaded (20)

PDF
Architecture types and enterprise applications.pdf
ChristopherTHyatt
 
PDF
Video forgery: An extensive analysis of inter-and intra-frame manipulation al...
IAESIJAI
 
PDF
Developing a website for English-speaking practice to English as a foreign la...
IAESIJAI
 
PDF
Getting Started with Data Integration: FME Form 101
Safe Software
 
PPTX
The various Industrial Revolutions .pptx
bandileshozi3
 
PDF
Hybrid horned lizard optimization algorithm-aquila optimizer for DC motor
IAESIJAI
 
PPTX
Benefits of Physical activity for teenagers.pptx
Nokwanda Thabethe
 
PDF
Five Habits of High-Impact Board Members
OnBoard
 
PPTX
Web Crawler for Trend Tracking Gen Z Insights.pptx
Actowiz Solustions
 
PPTX
Final SEM Unit 1 for mit wpu at pune .pptx
anishtilekar08
 
PDF
DP Operators-handbook-extract for the Mautical Institute
LeonelMejiaLarios
 
PDF
CloudStack 4.21: First Look Webinar slides
ShapeBlue
 
PPTX
Group 1 Presentation -Planning and Decision Making .pptx
MatthewLewis227954
 
PDF
STKI Israel Market Study 2025 version august
Dr. Jimmy Schwarzkopf
 
PDF
Univ-Connecticut-ChatGPT-Presentaion.pdf
ry7r52mzb4
 
PDF
Transform Your ITIL® 4 & ITSM Strategy with AI in 2025.pdf
PDCA Consulting
 
PDF
How ambidextrous entrepreneurial leaders react to the artificial intelligence...
IAESIJAI
 
PDF
DASA ADMISSION 2024_FirstRound_FirstRank_LastRank.pdf
rameswartudu05
 
PDF
ENT215_Completing-a-large-scale-migration-and-modernization-with-AWS.pdf
ssuser28425f
 
PPTX
MicrosoftCybserSecurityReferenceArchitecture-April-2025.pptx
SilvioHayashi
 
Architecture types and enterprise applications.pdf
ChristopherTHyatt
 
Video forgery: An extensive analysis of inter-and intra-frame manipulation al...
IAESIJAI
 
Developing a website for English-speaking practice to English as a foreign la...
IAESIJAI
 
Getting Started with Data Integration: FME Form 101
Safe Software
 
The various Industrial Revolutions .pptx
bandileshozi3
 
Hybrid horned lizard optimization algorithm-aquila optimizer for DC motor
IAESIJAI
 
Benefits of Physical activity for teenagers.pptx
Nokwanda Thabethe
 
Five Habits of High-Impact Board Members
OnBoard
 
Web Crawler for Trend Tracking Gen Z Insights.pptx
Actowiz Solustions
 
Final SEM Unit 1 for mit wpu at pune .pptx
anishtilekar08
 
DP Operators-handbook-extract for the Mautical Institute
LeonelMejiaLarios
 
CloudStack 4.21: First Look Webinar slides
ShapeBlue
 
Group 1 Presentation -Planning and Decision Making .pptx
MatthewLewis227954
 
STKI Israel Market Study 2025 version august
Dr. Jimmy Schwarzkopf
 
Univ-Connecticut-ChatGPT-Presentaion.pdf
ry7r52mzb4
 
Transform Your ITIL® 4 & ITSM Strategy with AI in 2025.pdf
PDCA Consulting
 
How ambidextrous entrepreneurial leaders react to the artificial intelligence...
IAESIJAI
 
DASA ADMISSION 2024_FirstRound_FirstRank_LastRank.pdf
rameswartudu05
 
ENT215_Completing-a-large-scale-migration-and-modernization-with-AWS.pdf
ssuser28425f
 
MicrosoftCybserSecurityReferenceArchitecture-April-2025.pptx
SilvioHayashi
 

GraphQL Misconfiguration

  • 2. C O N T E N T S Part 01 Part 02 GraphQL Rest vs Graphql Part 03 Terminologies Part 04 Part 05 Part 06 Endpoint & Tools Attacks Vectors Practice Labs
  • 4. 01 GraphQL GraphQL is a query language for your API, and a server- side runtime for executing queries by using a type system you define for your data. GraphQL isn't tied to any specific database or storage engine and is instead backed by your existing code and data. A GraphQL service is created by defining types and fields on those types, then providing functions for each field on each type.
  • 10. 03 Terminologies Queries and Mutations Schema and Types Arguments Fields Variable OperationName
  • 12. 04 GraphQL Endpoints & Tools • /graphql • /graphql/console/ • /graphql.php • /graphiql • /graphiql.php • ....etc, • Graphiql • Graphql Playground • Graphql Raider (Burp-Extension) • InQL (Burp-Extension) Endpoints Tools
  • 14. Introspection Query DOS IDOR & Authorization Bypass Injections Mutation 05 Attack Vectors
  • 15. 05 Introspection Query { __schema { directives { name description } subscriptionType { name description } types { name description } queryType { name description } mutationType { name description } queryType { name description } } } 1. query allSchemaTypes { __schema { types { name kind description } } } 2. query availableQueries { __schema { queryType { fields { name description } } } } 3. query EnumerationValues { __type(name: "<ENUM TYPE>") { kind name description enumValues { name description } } } https://hackerone.com/reports/291531
  • 16. 05 DOS / Nested Queries query{ allUsers{ posts{ author{ posts{ author{ posts{ author{ posts{ author{ posts{ author{ posts{ author{ posts{ author{ posts{ author{ posts{ author{ username } } } } } } } } } } } } } } } } } } }
  • 17. 05 IDOR & Bypass Authorization
  • 18. 05 Injections • SQL Injections • Command Injections • XSS • etc.., SQL Injection
  • 19. 05 Mutations • SQL Injections • Command Injections • XSS • Change/Modify the Details • etc.., SQL Injection
  • 22. Contact: Email: [email protected] Twitter: https://www.twitter.com/sengarharshit1 Linkedin: https://www.linkedin.com/in/sengarharshit1 Medium: https://www.medium.com/@sengarharshit1 THANK YOU