Welcome to Scribd!

Access Control Vulnerabilities in Graphql Apis: Nikita Stupin

Uploaded by

0% found this document useful (0 votes)

10 views16 pages

The document discusses GraphQL APIs and access control vulnerabilities. It begins with an overview of GraphQL, including what it is, basic queries, and introspection. Next, tools for analyzing GraphQL APIs like GraphiQL, Burp, and GraphQL Voyager are presented. Examples of access control vulnerabilities found in bug bounty programs are then discussed. The presentation concludes with ideas for further research on traversing GraphQL schemas with different credentials and automatically building all possible query paths.

Original Description:

Original Title

Access_control_vulnerabilities_in_graphql

Copyright

Available Formats

PDF, TXT or read online from Scribd

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Report this Document

Copyright:

Available Formats

Download as PDF, TXT or read online from Scribd

Flag for inappropriate content

0% found this document useful (0 votes)

10 views16 pages

Access Control Vulnerabilities in Graphql Apis: Nikita Stupin

Uploaded by

ratata ratata

Copyright:

Available Formats

Download as PDF, TXT or read online from Scribd

Flag for inappropriate content

Jump to Page

You are on page 1of 16

Search inside document

Access control vulnerabilities in

GraphQL APIs
Nikita Stupin
Mail.Ru Group

Moscow, 18 June 2019

1
Agenda

1. GraphQL overview
1. What is GraphQL?
2. Basic GraphQL queries
3. Introspection
2. Tools for analyzing GraphQL
1. GraphiQL / Burp (curl)
2. GraphQL Voyager
3. Bug Bounty examples
4. Ideas for further research
5. Q&A
What is GraphQL?

• Query language to fetch and modify

data
• Used in web applications
• Tries to solve the problems of the
REST API
• Data over-fetching
• Data under-fetching

Image source: https://medium.com/devschacht/esteban-herrera-5-reasons-you-shouldnt-use-graphql-bae94ab105bc

3
Perfect world

Image source: https://www.howtographql.com/basics/3-big-picture/

4
Real world

Image source: https://www.howtographql.com/basics/3-big-picture/

5
The query, the mutation and the subscription

Image source: https://www.howtographql.com/basics/2-core-concepts/ 6

The query, the mutation and the subscription

Image source: https://www.howtographql.com/basics/2-core-concepts/ 7

8
Burp

9
GraphiQL

10
GraphQL Voyager

11
Broken edges

13
Ideas for further research

• Schema is a graph. Traverse it with

different credentials and compare the
results
• Visual monitoring of schema changes
https://github.com/APIs-guru/graphql-
voyager/issues/113
• Automatically build all possible paths
to certain object or property

Image source: https://memegenerator.net/img/images/300x300/11451809.jpg

14
Links

• “GraphQL Voyager as a tool for API security testing” (EN, RU)

https://nikitastupin.github.io/#references-to-articles-and-write-ups
• GraphQL from zero to hero (highly practical)
https://www.howtographql.com/
• Good elaboration of certain topic (more theoretical)
https://graphql.org/learn/
• GraphiQL https://github.com/graphql/graphiq
• GraphQL Voyager https://github.com/APIs-guru/graphql-voyager
• Toolset that can automatically generate queries
https://github.com/doyensec/graph-ql
15
Questions?

_nikitastupin

nikitastupin

n.stupin@corp.mail.ru

GraphQL in Action
From Everand
GraphQL in Action
Samer Buna
Rating: 2 out of 5 stars
2/5 (1)
1 What Is GraphQL
Document5 pages
1 What Is GraphQL
Ashutosh Agarwal
No ratings yet
Full Stack GraphQL Applications: With React, Node.js, and Neo4j
From Everand
Full Stack GraphQL Applications: With React, Node.js, and Neo4j
William Lyon
No ratings yet
Kiran Sagar: I Can Be Able To Quickly Adapt The New Work Space and Learning
Document3 pages
Kiran Sagar: I Can Be Able To Quickly Adapt The New Work Space and Learning
SreeSai Siddartha
No ratings yet
Learning Dart - Second Edition
From Everand
Learning Dart - Second Edition
Ivo Balbaert
No ratings yet
Gogo
Document1 page
Gogo
dark vader
No ratings yet
Practical C++ Backend Programming: Crafting Databases, APIs, and Web Servers for High-Performance Backend
From Everand
Practical C++ Backend Programming: Crafting Databases, APIs, and Web Servers for High-Performance Backend
Justin Barbara
No ratings yet
Generating Graphql-Wrappers For Rest (-Like) Apis: Abstract. Graphql Is A Query Language and Thereupon-Based
Document19 pages
Generating Graphql-Wrappers For Rest (-Like) Apis: Abstract. Graphql Is A Query Language and Thereupon-Based
Alexandra Velicu
No ratings yet
GraphQL Basics
Document42 pages
GraphQL Basics
Archanna Roy
No ratings yet
Elixir Absinthe Basics
Document29 pages
Elixir Absinthe Basics
white rabbit
No ratings yet
Introduction To Graphql: Niv Ben David
Document50 pages
Introduction To Graphql: Niv Ben David
Latha Sri
No ratings yet
Data Visualization Using Python
Document43 pages
Data Visualization Using Python
Sintya
No ratings yet
Open API 3.0
Document32 pages
Open API 3.0
DEV BENEDICT
No ratings yet
Lecture-1.2 - FS
Document27 pages
Lecture-1.2 - FS
Ayush Gupta
No ratings yet
Ktor and GraphQL - Getting Started
Document1 page
Ktor and GraphQL - Getting Started
Ariant Panjoolate
No ratings yet
The Power of GraphQL
Document52 pages
The Power of GraphQL
William Ha
No ratings yet
Real-Time GraphQL - Tech9
Document57 pages
Real-Time GraphQL - Tech9
Gigi Florica
No ratings yet
Data Visualization Using Python
Document44 pages
Data Visualization Using Python
vickydasuri111
No ratings yet
Making SPA Smarter With GraphQL
Document28 pages
Making SPA Smarter With GraphQL
1977am
No ratings yet
Saylani Module One Outline
Document3 pages
Saylani Module One Outline
Maaz Adrees
No ratings yet
Scrapy, A Fast High-Level All Kinds Web Crawling & Scraping Framework For Python
Document3 pages
Scrapy, A Fast High-Level All Kinds Web Crawling & Scraping Framework For Python
Jiaxu Chen
No ratings yet
Resume - Puneet Pandey
Document5 pages
Resume - Puneet Pandey
Puneet Pandey
No ratings yet
Google Map API
Document4 pages
Google Map API
fasewof928
No ratings yet
cityAQ - DC JS
Document10 pages
cityAQ - DC JS
Jack Koppa
No ratings yet
PyCon ID 2020 - Kevin Lloyd Bernal
Document58 pages
PyCon ID 2020 - Kevin Lloyd Bernal
Andi Hidayat
No ratings yet
Flight - Solution Methodology
Document3 pages
Flight - Solution Methodology
Arnab Dey
No ratings yet
Grapgqlvsrest
Document43 pages
Grapgqlvsrest
Troy Parker
No ratings yet
Michael Hunger-Using Apachespark For Graph Computation With Neo4j
Document36 pages
Michael Hunger-Using Apachespark For Graph Computation With Neo4j
harshasri89
No ratings yet
Data Science Specialization Capstone Presentation
Document46 pages
Data Science Specialization Capstone Presentation
Danish Nazrin
No ratings yet
Packt - Beginning GraphQL
Document167 pages
Packt - Beginning GraphQL
Sutham Rojanusorn
No ratings yet
Getting Started With GraphQL AF
Document12 pages
Getting Started With GraphQL AF
Santiago Stephenson
No ratings yet
The Primary Concern and Data Isn't Spread Across Different Domains But Is Instead Centralized To One Product. in This Case A Single Network
Document5 pages
The Primary Concern and Data Isn't Spread Across Different Domains But Is Instead Centralized To One Product. in This Case A Single Network
Jameel Khan
No ratings yet
GraphQL With Java and Spring
Document306 pages
GraphQL With Java and Spring
أحمد عاشور
No ratings yet
Play Framework 2.0: Peter Hilton - 14 February 2012
Document49 pages
Play Framework 2.0: Peter Hilton - 14 February 2012
hans09
No ratings yet
Capybara (Software)
Document4 pages
Capybara (Software)
linda976
No ratings yet
Big Data HW
Document6 pages
Big Data HW
Adilet Karim
No ratings yet
Adaptto2021 Playing Headlessly With GraphQL Capabilities in AEM EvgenyTugarev
Document23 pages
Adaptto2021 Playing Headlessly With GraphQL Capabilities in AEM EvgenyTugarev
omar
No ratings yet
PeterHilton PlayFramework20 PDF
Document63 pages
PeterHilton PlayFramework20 PDF
hans09
No ratings yet
Full Stack - nd0044 - Syllabus
Document17 pages
Full Stack - nd0044 - Syllabus
Abdullah Al-Bayoumi
No ratings yet
(2 de 5) What Is JavaScript and How It Works Under The Hood - Codementor
Document10 pages
(2 de 5) What Is JavaScript and How It Works Under The Hood - Codementor
Luis Balza Mata
No ratings yet
Coding Interview Prep: Milestone 0: Learning A Programming Language
Document4 pages
Coding Interview Prep: Milestone 0: Learning A Programming Language
nikhil singh
No ratings yet
Retrieving and Visualizing Data: Charles Severance
Document19 pages
Retrieving and Visualizing Data: Charles Severance
Emmanuel
No ratings yet
Guidelines For Preparing The GSoC 2021 Application Proposal
Document5 pages
Guidelines For Preparing The GSoC 2021 Application Proposal
Nabeel Merchant
No ratings yet
Pure Apis: Development Workflows For Successful Api Integrations
Document35 pages
Pure Apis: Development Workflows For Successful Api Integrations
José Antonio Haro Peralta
No ratings yet
2021 Tools ML DL Dan Cheat Sheets For AI
Document25 pages
2021 Tools ML DL Dan Cheat Sheets For AI
Lathifah Alfat
No ratings yet
Databricks On AWS 01 Getting Started Apache Spark Slides
Document29 pages
Databricks On AWS 01 Getting Started Apache Spark Slides
Mohil Joshi
100% (1)
Web-Development Using GWT + mvp4g
Document305 pages
Web-Development Using GWT + mvp4g
Ulric Wilfred
No ratings yet
Master Resources Prompt Engineering
Document2 pages
Master Resources Prompt Engineering
Victor Löfgren
No ratings yet
Retrieving and Visualizing Data: Charles Severance
Document19 pages
Retrieving and Visualizing Data: Charles Severance
bitish commect
No ratings yet
Preface
Document7 pages
Preface
lthanhlong
No ratings yet
Arcgis Modelbuilder Godfrey
Document19 pages
Arcgis Modelbuilder Godfrey
Mike Murefu
No ratings yet
Developer's Guide For Creating Scales and Transformations
Document5 pages
Developer's Guide For Creating Scales and Transformations
sumit_mukund
No ratings yet
Google Bigquery
Document10 pages
Google Bigquery
JMFM
No ratings yet
Gephi Semantic Web Importer en
Document6 pages
Gephi Semantic Web Importer en
mt_payne
No ratings yet
PHP Dictionary
Document412 pages
PHP Dictionary
shambalic
No ratings yet
Student Planner
Document4 pages
Student Planner
Pruthvi M Javali
No ratings yet
4 JavaScript Design Patterns You Should Know (+ Scotchmas Day 2) - Scotch
Document40 pages
4 JavaScript Design Patterns You Should Know (+ Scotchmas Day 2) - Scotch
Andres Tuells Jansson
No ratings yet
Spark Devops
Document301 pages
Spark Devops
topimaster
0% (1)
Backend Links
Document1 page
Backend Links
milad
No ratings yet
Udacity Develop Syllabus
Document6 pages
Udacity Develop Syllabus
Harshit Agrawal
No ratings yet
Receiver20 Optional PCB PDF
Document1 page
Receiver20 Optional PCB PDF
ratata ratata
No ratings yet
Hacking - CEH Cheat Sheet Exercises
Document49 pages
Hacking - CEH Cheat Sheet Exercises
Tetuan Azlan
No ratings yet
Receiver 20
Document4 pages
Receiver 20
ratata ratata
No ratings yet
La Caratula v3.1
Document24 pages
La Caratula v3.1
ratata ratata
No ratings yet
HTB BigHead Exploit - Small Buffer Exploit Without Egghunter InfoSec Blog
Document8 pages
HTB BigHead Exploit - Small Buffer Exploit Without Egghunter InfoSec Blog
ratata ratata
No ratings yet
R6Dan, Rx9Cim Designed by R6DCY
Document1 page
R6Dan, Rx9Cim Designed by R6DCY
ratata ratata
No ratings yet
Parts Catalogue / Technical Guide: Cal. 4F56A, 8F56A, 8F58A
Document24 pages
Parts Catalogue / Technical Guide: Cal. 4F56A, 8F56A, 8F58A
oscar tebar
No ratings yet
CQ Datv83
Document26 pages
CQ Datv83
augustinetez
100% (1)
E1585-The Winding Method of Magnetic Coils V306
Document6 pages
E1585-The Winding Method of Magnetic Coils V306
ratata ratata
No ratings yet
FRAM Memory With A Unique Read-Only ID
Document1 page
FRAM Memory With A Unique Read-Only ID
ratata ratata
No ratings yet
EVO-1 Users Manual Eng
Document4 pages
EVO-1 Users Manual Eng
ratata ratata
No ratings yet
High Resolution, Book Format: - Deconstruction
Document33 pages
High Resolution, Book Format: - Deconstruction
ratata ratata
No ratings yet
FRAM Memory With A Unique Read-Only ID
Document1 page
FRAM Memory With A Unique Read-Only ID
ratata ratata
No ratings yet
GBLC03 Gblc24C: Ultra Low Capacitance Tvs Array
Document4 pages
GBLC03 Gblc24C: Ultra Low Capacitance Tvs Array
oscar tebar
No ratings yet
Offensive Security Certified Expert (OSCE) : August 22, 2018
Document18 pages
Offensive Security Certified Expert (OSCE) : August 22, 2018
ratata ratata
No ratings yet
CDR-300UV Mini Car Radio
Document1 page
CDR-300UV Mini Car Radio
ratata ratata
No ratings yet
In This Issue: Reader Contributed Articles Welcome
Document36 pages
In This Issue: Reader Contributed Articles Welcome
oscar tebar
No ratings yet
Discovery: Category Built-In Windows Command
Document15 pages
Discovery: Category Built-In Windows Command
ratata ratata
No ratings yet
CDR-300UV Mini Car Radio
Document1 page
CDR-300UV Mini Car Radio
ratata ratata
No ratings yet
Re4b en PDF
Document1,387 pages
Re4b en PDF
thumperward
No ratings yet
In This Issue: Reader Contributed Articles Welcome
Document36 pages
In This Issue: Reader Contributed Articles Welcome
oscar tebar
No ratings yet
Aml 30
Document2 pages
Aml 30
ratata ratata
No ratings yet
Situation: HB9SOTA WSPR Antenna Comparison 2.7.2017, Gurten
Document8 pages
Situation: HB9SOTA WSPR Antenna Comparison 2.7.2017, Gurten
ratata ratata
No ratings yet
RF-AMP-250-2-Re Debug Instructor V100
Document4 pages
RF-AMP-250-2-Re Debug Instructor V100
ratata ratata
No ratings yet
FRAM Memory With A Unique Read-Only ID
Document1 page
FRAM Memory With A Unique Read-Only ID
ratata ratata
No ratings yet
RF-AMP-250-2-Re Debug Instructor V100
Document4 pages
RF-AMP-250-2-Re Debug Instructor V100
ratata ratata
No ratings yet
Winding Method of Magnetic Coils V100
Document3 pages
Winding Method of Magnetic Coils V100
ratata ratata
100% (1)
RF Amp 250 2 Re V101
Document1 page
RF Amp 250 2 Re V101
ratata ratata
No ratings yet
A Portable Multi-Band End-Fed Half Wave (EFHW) Antenna For 40-10m
Document4 pages
A Portable Multi-Band End-Fed Half Wave (EFHW) Antenna For 40-10m
ratata ratata
No ratings yet
Technical Note - Remote OPC Server October 3, 2003 - Rev. C
Document2 pages
Technical Note - Remote OPC Server October 3, 2003 - Rev. C
lin2m3
No ratings yet
Proposal On BBMS
Document8 pages
Proposal On BBMS
M.Cedrick
No ratings yet
A Short Note On Transaction in Database Management System
Document4 pages
A Short Note On Transaction in Database Management System
Imran Kabir
No ratings yet
Unit-2 Lecture Notes
Document33 pages
Unit-2 Lecture Notes
Sravani Gunnu
No ratings yet
Database Processing: David M. Kroenke and David J. Auer
Document84 pages
Database Processing: David M. Kroenke and David J. Auer
felipe jr. Ammugauan
No ratings yet
GeoMedia 2015 Product Features
Document26 pages
GeoMedia 2015 Product Features
Nimas Anggarini
No ratings yet
TCS Technical Interview Questions
Document8 pages
TCS Technical Interview Questions
Harpreet Singh Bagga
No ratings yet
Dot Net Syllabus
Document4 pages
Dot Net Syllabus
Banagiri Akhil
No ratings yet
Normalization Data Anomalies
Document15 pages
Normalization Data Anomalies
gopi9966957145
No ratings yet
ITSM - Whitepaper - Asset MGMT
Document143 pages
ITSM - Whitepaper - Asset MGMT
Kai
No ratings yet
Oracle Exadata Database Service On Exadata Cloud@Customer X8M
Document11 pages
Oracle Exadata Database Service On Exadata Cloud@Customer X8M
Ans Sembiring
No ratings yet
Presentation Seminar
Document16 pages
Presentation Seminar
yihunie
No ratings yet
Configuring Node Replication For IBM Spectrum Protect by Using The Command Line
Document4 pages
Configuring Node Replication For IBM Spectrum Protect by Using The Command Line
venkat g
No ratings yet
DBMS Syllabus
Document4 pages
DBMS Syllabus
Exam helper
No ratings yet
Planet 9 - Installation Guide 2.x
Document6 pages
Planet 9 - Installation Guide 2.x
Adeyemi Odeneye
No ratings yet
A Complete Kaldi Recipe For Building Arabic Speech Recognition Systems
Document5 pages
A Complete Kaldi Recipe For Building Arabic Speech Recognition Systems
Abdelkbir Ws
No ratings yet
Community E-Library System REPORT
Document17 pages
Community E-Library System REPORT
sajeer kc
No ratings yet
6.5.10 Lab - Explore The Evolution of Password Methods
Document11 pages
6.5.10 Lab - Explore The Evolution of Password Methods
Willy Dinata
No ratings yet
Bda Lab Manual
Document45 pages
Bda Lab Manual
reenadh shaik
No ratings yet
Automatic Watershed Delineation Using Arcswat/Arc Gis: By: - Yalelet.F
Document9 pages
Automatic Watershed Delineation Using Arcswat/Arc Gis: By: - Yalelet.F
Addisu melak
No ratings yet
Database Development Process PDF
Document6 pages
Database Development Process PDF
nadigan
No ratings yet
The 7 Lies of Data Catalog Providers
Document21 pages
The 7 Lies of Data Catalog Providers
hasnae
No ratings yet
Revit Schematic Keynotes Explained (Well, Bootlegged and Used)
Document4 pages
Revit Schematic Keynotes Explained (Well, Bootlegged and Used)
Jay B Zallan
No ratings yet
RTD Feast Dev en Master
Document162 pages
RTD Feast Dev en Master
Hg
No ratings yet
ASIA Module 2
Document26 pages
ASIA Module 2
marsh mallow
No ratings yet
IELTS Wrting Task 1 (General)
Document6 pages
IELTS Wrting Task 1 (General)
Syed Maroof Ali
No ratings yet
AWS Certified Solutions Architect - Associate SAA-C03 Exam Questions and Answers
Document43 pages
AWS Certified Solutions Architect - Associate SAA-C03 Exam Questions and Answers
Abraão Silva
No ratings yet
Getting Started With Postgis: Topic
Document30 pages
Getting Started With Postgis: Topic
SAMINA ATTARI
No ratings yet
Dynamic Auto Selection and Auto Tuning of Machine Learning Models For Cloud Network Analytics Synopsis
Document9 pages
Dynamic Auto Selection and Auto Tuning of Machine Learning Models For Cloud Network Analytics Synopsis
sudhakar kethana
No ratings yet
Esp32 From Anywhere in The World
Document17 pages
Esp32 From Anywhere in The World
Perez Geovanni
No ratings yet