A somewhat curated list of links to various topics in application security.
| Link | Excerpt |
|---|---|
| gsmith257-cyber/GraphCrawler | Graph Crawler is an automated testing tool for any GraphQL endpoint. It will run through and check if mutation is enabled, check for any sensative queries avaliable, such as users and files, and it will also test any easy queries it find to see if authentication is required. |
| Exploiting GraphQL | GraphQL is a language for APIs that enables you to query and manipulate data through a flexible syntax. GraphQL based services have blown up over the last few years in popularity. From a hackers perspective, what should we be focusing on? |
| GraphQL 101 Challenge | REST was born in 2000 as Roy Fielding wanted to define the standardized way of API communication. In 2015 Facebook internally developed GraphQL as a modern and scalable way of communication between client and server. Kiwi. |
| InQL Scanner | InQL can be used as a stand-alone script or as a Burp Suite extension. InQL can inspect the introspection query results and generate clean documentation in different formats such as HTML and JSON schema. |
| GraphQL - Security Overview and Testing Tips | With the increasing popularity of GraphQL technology we are summarizing some documentation and tips about common security mistakes. GraphQL is a data query language developed by Facebook and publicly released in 2015. It is an alternative to REST API. |
| Facebook GraphQL CSRF | There was a “CSRF” styled query in business.instagram.com that can allow GraphQL calls to be made. The discovery of the bug in View the Assigned Roles and Emails of an Instagram Account started at business.instagram.com/login with an authorization screen. |
| [TOKOPEDIA] SITE-WIDE CSRF THROUGH GRAPHQL REQUEST | Cross-Site Request Forgery (CSRF) is an attack that forces an end user to execute unwanted actions on a web application in which they’re currently authenticated. |
| Graphql Abuse to Steal Anyone’s Address | Due to some reasons, I had to remove this blog post earlier as I didn’t have any approval from the Security Team of that program. Now they have approved my blog post. Well again this is not an English literature or grammar blog please ignore errors . |
| GraphQL Introspection leads to Sensitive Data Disclosure. | Hello, I am Pranay Bafna, Final Year Information Technology Student. I’m here to share about my recent findings on graphql. For Discovering this bug I learned graphql basics for atleast 2–3 hours and reading all other bug reports and especially nahamsec’s graphql CTF Challenge. |
| GraphQL introspection leads to sensitive data disclosure. | Hello World! I’m Eshan Singh, aka R0X4R. I’m that hacker teenager that your friends told you about. I hack web-server to make the system secure. I’m here to share my recent findings on GraphQL Introspection. All of us know that Facebook uses its own query language to store its data properly. |
| br3akp0int/GQLParser | Graph Query Parser & Editor A repository for Graph Query Extension for Burp Suite Requirements: You will need the below to get started: -The latest version of Burp(Tested for Burp 1.7.37 and above) -A Jython standalone Jar file (jython-standalone-2.7.0. |
| andev-software/graphql-ide | Download the latest 0.2.x version, this will give you an option to export any project for 1.x. After you've installed 1.x you can import the project there. You can always go back to 0.x, your project data is stored at /Users/[username]/Library/Application Support/graphql-ide |
| GraphQLmap | GraphQLmap is a scripting engine to interact with a graphql endpoint for pentesting purposes. You can also contribute with a 🍻 IRL or using Github Sponsoring button. |
| GraphQL IDOR leads to information disclosure | Hello World!, I’m Eshan Singh aka R0X4R. I’m here to share my recent findings on GraphQL IDOR (Insecure Direct Object Reference), which leads to information disclosure. So, let’s start. I’m signing in… What is GraphQL? |
