appsec.fyi

A somewhat curated list of links to various topics in application security.

GraphQL

LinkExcerptWord Count
andev-software/graphql-ideDownload the latest 0.2.x version, this will give you an option to export any project for 1.x. After you've installed 1.x you can import the project there. You can always go back to 0.x, your project data is stored at /Users/[username]/Library/Application Support/graphql-ide126
Facebook GraphQL CSRFThere was a “CSRF” styled query in business.instagram.com that can allow GraphQL calls to be made. The discovery of the bug in View the Assigned Roles and Emails of an Instagram Account started at business.instagram.com/login with an authorization screen.841
GraphQL - Security Overview and Testing TipsWith the increasing popularity of GraphQL technology we are summarizing some documentation and tips about common security mistakes. GraphQL is a data query language developed by Facebook and publicly released in 2015. It is an alternative to REST API.900
InQL ScannerInQL can be used as a stand-alone script or as a Burp Suite extension. InQL can inspect the introspection query results and generate clean documentation in different formats such as HTML and JSON schema.1000
br3akp0int/GQLParserGraph Query Parser & Editor A repository for Graph Query Extension for Burp Suite Requirements: You will need the below to get started: -The latest version of Burp(Tested for Burp 1.7.37 and above) -A Jython standalone Jar file (jython-standalone-2.7.0.454
GraphQLmapGraphQLmap is a scripting engine to interact with a graphql endpoint for pentesting purposes. You can also contribute with a 🍻 IRL or using Github Sponsoring button.550
[TOKOPEDIA] SITE-WIDE CSRF THROUGH GRAPHQL REQUESTCross-Site Request Forgery (CSRF) is an attack that forces an end user to execute unwanted actions on a web application in which they’re currently authenticated.804
Graphql Abuse to Steal Anyone’s AddressDue to some reasons, I had to remove this blog post earlier as I didn’t have any approval from the Security Team of that program. Now they have approved my blog post. Well again this is not an English literature or grammar blog please ignore errors .574
GraphQL Introspection leads to Sensitive Data Disclosure.Hello, I am Pranay Bafna, Final Year Information Technology Student. I’m here to share about my recent findings on graphql. For Discovering this bug I learned graphql basics for atleast 2–3 hours and reading all other bug reports and especially nahamsec’s graphql CTF Challenge.490
GraphQL introspection leads to sensitive data disclosure.Hello World! I’m Eshan Singh, aka R0X4R. I’m that hacker teenager that your friends told you about. I hack web-server to make the system secure. I’m here to share my recent findings on GraphQL Introspection. All of us know that Facebook uses its own query language to store its data properly.438
GraphQL IDOR leads to information disclosureHello World!, I’m Eshan Singh aka R0X4R. I’m here to share my recent findings on GraphQL IDOR (Insecure Direct Object Reference), which leads to information disclosure. So, let’s start. I’m signing in… What is GraphQL?497
Oh snap! We don't support this version of your browser, and neither should you!You are visiting this page because we detected an unsupported browser. Your browser does not support security features that we require. We highly recommend that you update your browser. If you believe you have arrived here in error, please contact us. Be sure to include your browser version.48
GraphQL 101 ChallengeREST was born in 2000 as Roy Fielding wanted to define the standardized way of API communication. In 2015 Facebook internally developed GraphQL as a modern and scalable way of communication between client and server. Kiwi.1022
Exploiting GraphQLGraphQL is a language for APIs that enables you to query and manipulate data through a flexible syntax. GraphQL based services have blown up over the last few years in popularity. From a hackers perspective, what should we be focusing on?1306
gsmith257-cyber/GraphCrawlerGraph Crawler is an automated testing tool for any GraphQL endpoint. It will run through and check if mutation is enabled, check for any sensative queries avaliable, such as users and files, and it will also test any easy queries it find to see if authentication is required.180
Mastering the Realm of GraphQL ExploitationIn this blog, we embark on a journey about Hacking GraphQL. Whether you’re a curious enthusiast eager to explore the latest advancements in web technologies, this comprehensive guide will serve as your compass through the intricacies of GraphQL4641