appsec.fyi

A somewhat curated list of links to various topics in application security.

GraphQL

LinkExcerpt
GraphQL 101 ChallengeREST was born in 2000 as Roy Fielding wanted to define the standardized way of API communication. Over time, REST API has reached it’s limitations so in 2015 Facebook internally developed GraphQL as a modern and scalable way of communication between client and server. Kiwi.
doyensec/graph-qlWith the increasing popularity of GraphQL technology, we will be using this repository to publish scripts and other resources that can facilitate security testing efforts.
GraphQL - Security Overview and Testing TipsWith the increasing popularity of GraphQL technology we are summarizing some documentation and tips about common security mistakes. GraphQL is a data query language developed by Facebook and publicly released in 2015. It is an alternative to REST API.
Facebook GraphQL CSRFThere was a “CSRF” styled query in business.instagram.com that can allow GraphQL calls to be made. The discovery of the bug in View the Assigned Roles and Emails of an Instagram Account started at business.instagram.com/login with an authorization screen.
[TOKOPEDIA] SITE-WIDE CSRF THROUGH GRAPHQL REQUESTCross-Site Request Forgery (CSRF) is an attack that forces an end user to execute unwanted actions on a web application in which they’re currently authenticated.
Graphql Abuse to Steal Anyone’s AddressDue to some reasons, I had to remove this blog post earlier as I didn’t have any approval from the Security Team of that program. Now they have approved my blog post. Well again this is not an English literature or grammar blog please ignore errors .
GraphQL Introspection leads to Sensitive Data Disclosure.Hello, I am Pranay Bafna, Final Year Information Technology Student. I’m here to share about my recent findings on graphql. For Discovering this bug I learned graphql basics for atleast 2–3 hours and reading all other bug reports and especially nahamsec’s graphql CTF Challenge.
GraphQL introspection leads to sensitive data disclosure.Hello World! I’m Eshan Singh, aka R0X4R. I’m that hacker teenager that your friends told you about. I hack web-server to make the system secure. I’m here to share my recent findings on GraphQL Introspection. All of us know that Facebook uses its own query language to store its data properly.
br3akp0int/GQLParserGraph Query Parser & Editor A repository for Graph Query Extension for Burp Suite Requirements: You will need the below to get started: -The latest version of Burp(Tested for Burp 1.7.37 and above) -A Jython standalone Jar file (jython-standalone-2.7.0.
andev-software/graphql-ideDownload the latest 0.2.x version, this will give you an option to export any project for 1.x. After you've installed 1.x you can import the project there. You can always go back to 0.x, your project data is stored at /Users/[username]/Library/Application Support/graphql-ide
swisskyrepo/GraphQLmapGraphQLmap is a scripting engine to interact with a graphql endpoint for pentesting purposes. Use dump to dump the GraphQL schema, this function will automaticly populate the "autocomplete" with the found fields. ? Live Example
GraphQL IDOR leads to information disclosureHello World!, I’m Eshan Singh aka R0X4R. I’m here to share my recent findings on GraphQL IDOR (Insecure Direct Object Reference), which leads to information disclosure. So, let’s start. I’m signing in… What is GraphQL?