A somewhat curated list of links to various topics in application security.
| Link | Excerpt | Word Count |
|---|---|---|
| andev-software/graphql-ide | Download the latest 0.2.x version, this will give you an option to export any project for 1.x. After you've installed 1.x you can import the project there. You can always go back to 0.x, your project data is stored at /Users/[username]/Library/Application Support/graphql-ide | 116 |
| Facebook GraphQL CSRF | There was a “CSRF” styled query in business.instagram.com that can allow GraphQL calls to be made. The discovery of the bug in View the Assigned Roles and Emails of an Instagram Account started at business.instagram.com/login with an authorization screen. | 841 |
| GraphQL - Security Overview and Testing Tips | With the increasing popularity of GraphQL technology we are summarizing some documentation and tips about common security mistakes. GraphQL is a data query language developed by Facebook and publicly released in 2015. It is an alternative to REST API. | 900 |
| doyensec/inql | Welcome to InQL v5.0, a major update for our open-source GraphQL testing tool. This version provides new and improved features aimed at enhancing your GraphQL testing capabilities, making it more efficient and effective. We appreciate your trust in InQL. Happy testing! | 1030 |
| br3akp0int/GQLParser | A repository for Graph Query Extension for Burp Suite You will need the below to get started: -The latest version of Burp(Tested for Burp 1.7.37 and above) -A Jython standalone Jar file (jython-standalone-2.7.0. | 441 |
| swisskyrepo/GraphQLmap | GraphQLmap is a scripting engine to interact with a graphql endpoint for pentesting purposes. You can also contribute with a 🍻 IRL or using Github Sponsoring button. | 838 |
| https://rafiem.github.io/bugbounty/tokopedia/site-wide-csrf-graphql/ | 0 | |
| https://blog.usejournal.com/graphql-bug-to-steal-anyones-address-fc34f0374417 | 0 | |
| https://medium.com/@pranaybafna/graphql-introspection-leads-to-sensitive-data-disclosure-65b385452d7f | 0 | |
| GraphQL introspection leads to sensitive data disclosure. | Hello World! I’m Eshan Singh, aka R0X4R. I’m that hacker teenager that your friends told you about. I hack web-server to make the system secure. I’m here to share my recent findings on GraphQL Introspection. All of us know that Facebook uses its own query language to store its data properly. | 454 |
| GraphQL IDOR leads to information disclosure | Hello World!, I’m Eshan Singh aka R0X4R. I’m here to share my recent findings on GraphQL IDOR (Insecure Direct Object Reference), which leads to information disclosure. So, let’s start. I’m signing in… What is GraphQL? | 536 |
| Oh snap! We don't support this version of your browser, and neither should you! | You are visiting this page because we detected an unsupported browser. Your browser does not support security features that we require. We highly recommend that you update your browser. If you believe you have arrived here in error, please contact us. Be sure to include your browser version. | 48 |
| https://link.medium.com/stPzUuzxmdb | 0 | |
| Exploiting GraphQL | GraphQL is a language for APIs that enables you to query and manipulate data through a flexible syntax. GraphQL based services have blown up over the last few years in popularity. From a hackers perspective, what should we be focusing on? | 1112 |
| gsmith257-cyber/GraphCrawler | Graph Crawler is the most powerful automated testing toolkit for any GraphQL endpoint. NEW: Can search for endpoints for you using Escape Technology's powerful Graphinder tool. | 370 |
| https://infosecwriteups.com/mastering-the-realm-of-graphql-exploitation-a12ed5e04263 | 0 |