Join our in person and virtual trainings at BlackHat and HITB Abu Dhabi

Secure Development Trainings

WGQL – GraphQL Hacking workshop

GraphQL hacking training workshop! Learn how to hack and secure GraphQL

Online

Trainers

Picture of Stefan Petrushevski

Stefan Petrushevski

Principal Security Consultant @ DCODX

“Build it, break it, fix it better!” is something I often say. I am a seasoned cybersecurity professional who has been in the field for more than a decade. I have a formal education in computer science and extensive experience in security evaluation, security research, and building secure products across multiple verticals. In recent years, my focus has been AppSec, where I’m working on bridging the gap between security and engineering teams, making security an interesting and enjoyable aspect of everyone’s life. Outside of the cyber world, I have an active lifestyle and enjoy sports. Currently, I am re-introducing music into my life, as it is the space where, aside from hacking, I express my creativity the best.

Course overview

The workshop is meant for developers, architects and security folks. During the workshop we will learn how to setup a GraphQL project, define a schema, create Query, Mutation and Subscription for a “fake” social network. We will learn what are the main security issues to consider when developing a GraphQL application:
  • Introspection: information disclosure
  • /graphql as a single point of failure (DoS attacks)
  • IDOR
  • Broken Access control
  • Injections
Once we get familiar with the issues, we will explain how to avoid it and/or fix it.
Prerequisite
  • Laptop with Docker installed
  • No prior knowledge of GraphQL
Check the labs on our GitHub https://github.com/dcodx/graphql-security-labs

Syllabus

Intro
GraphQL introduction
GraphQL vs REST API
Common use cases
GraphQL basics
Define operations
Query
Mutation
Subscription
Burp and GraphQL plugins
Security implications in GraphQL
What can go wrong: intro
Exploiting Introspection
Nested looping queries: DoS
Injections
Broken Access Control
IDOR
DoS
Loops in schema
Complexity calculation
LAB: DoS: Why
How to prevent it
Broken Authorization and IDOR
LAB: What is IDOR and how to discover IDOR
LAB: Introspection is our friend
How to avoid it
Implement good authorization in GraphQL
Injections
Not a GraphQL issues
Discover possible injections
LAB: SQL injections
LAB: Command injections
How to prevent it