Secure Development Trainings

WGQL – GraphQL Hacking workshop

GraphQL hacking training workshop! Learn how to hack and secure GraphQL

Online

Trainers

Davide Cioccia

Davide Cioccia

Founder and Principal Security Architect @ DCODX

Hi there! I’m Davide Cioccia, founder of DCODX, an ethical hacking, and DevSecOps consulting and coaching firm. Besides helping companies implement their Sec in DevOps, I’m also a developer of security tools (check our GitHub), OWASP Mobile Security Testing Guide contributor and DevSecCon Chapter Lead for the Netherlands. You can find my talks at security conferences like BlackHat, OWASP AppSec, DevSecCon, DevDays Europe and more online, together with some CVE disclosed to Microsoft and other big vendors. Enjoy my course :)

Course overview

The workshop is meant for developers, architects and security folks. During the workshop we will learn how to setup a GraphQL project, define a schema, create Query, Mutation and Subscription for a “fake” social network. We will learn what are the main security issues to consider when developing a GraphQL application:
  • Introspection: information disclosure
  • /graphql as a single point of failure (DoS attacks)
  • IDOR
  • Broken Access control
  • Injections
Once we get familiar with the issues, we will explain how to avoid it and/or fix it.
Prerequisite
  • Laptop with Docker installed
  • No prior knowledge of GraphQL

Syllabus

Intro
GraphQL introduction
GraphQL vs REST API
Common use cases
GraphQL basics
Define operations
Query
Mutation
Subscription
Burp and GraphQL plugins
Security implications in GraphQL
What can go wrong: intro
Exploiting Introspection
Nested looping queries: DoS
Injections
Broken Access Control
IDOR
DoS
Loops in schema
Complexity calculation
LAB: DoS: Why
How to prevent it
Broken Authorization and IDOR
LAB: What is IDOR and how to discover IDOR
LAB: Introspection is our friend
How to avoid it
Implement good authorization in GraphQL
Injections
Not a GraphQL issues
Discover possible injections
LAB: SQL injections
LAB: Command injections
How to prevent it



Contact us

Send
Us a
Message

⚡ We will reply in no time

Twitter Linkedin Instagram Github

Copyright © 2023 DC0DX. All rights reserved

More questions?

Book a free consultation with one of our experts

Book Now