skip to Main Content

LEVELUP 0x05

REST in Peace: Abusing GraphQL to Attack Underlying Infrastructure

By : Matt Szymanski

REST in Peace: Abusing GraphQL to Attack Underlying Infrastructure by Matt Szymanski

Matt on Twitter: https://twitter.com/rvrshell
More Videos on Bugcrowd University: https://www.bugcrowd.com/hackers/bugcrowd-university

GraphQL is a query language for APIs set to replace RESTful architecture. The use of this technology has achieved rapid adoption and is now leveraged by companies such as GitHub, Credit Karma, and PayPal. Despite its popularity, this new approach to building APIs can leave organizations at risk. While it solves real-world problems, proper implementation is left up to developers who often don’t fully understand how to secure their API. Security best practices are easily overlooked, and rushed development can leave cracks in the armor. These issues create a new attack surface for us to explore as well as new ways to exploit underlying infrastructure and code.

From Queries and Mutations to Types and Fields, properly attacking a target requires that you understand it. We will learn enough about GraphQL to be dangerous. Demonstrate how to use the technology’s intricacies against itself while taking advantage of implementation errors and misconfigurations. Examine GraphQL specific attacks as well as tried and true techniques adapted to fit into the GraphQL context. Then walk through how to carry out these attacks efficiently and effectively.”

However, from a hacker’s point of view, this also presents new challenges. GraphQL Schemas can be very large and testing them can be a very time-consuming, manual process. From Queries and Mutations to Types and Fields, properly attacking a target requires that you understand it. Lack of foundational knowledge adds complexity to the testing process, while current tooling to launch and automate attacks is lacking. We will learn enough about GraphQL to be dangerous. Demonstrate how to use the technology’s intricacies against itself while taking advantage of implementation errors and misconfigurations. Examine GraphQL specific attacks as well as tried and true techniques adapted to fit into the GraphQL context. Then walk through how to carry out these attacks efficiently and effectively, introducing a new tool to help automate and streamline the process.

Attacking GraphQL requires understanding and tooling to properly execute. We will demo how to use the technology’s intricacies against itself while taking advantage of implementation errors and misconfigurations. Examine attacks and workflows using tooling adapted to fit into the GraphQL context.

Back To Top