Advanced Offensive GraphQL Security Training

Master GraphQL hacking from the authors who wrote Black Hat GraphQL

Course Schedule

1 Day - live online only course

Course Abstract

Master GraphQL hacking from the authors who wrote Black Hat GraphQL. This (part 2) advanced hacking course builds on top of the foundational knowledge you gained about GraphQL internals in part 1. Leveraging a custom hacking lab, you’ll delve into the details of how to execute numerous GraphQL attacks such as:

  • Reconnaissance Techniques

  • Information Disclosure

  • Denial of Service Attacks

  • Authentication & Authorization Bypasses

  • Injection Exploits

  • Request Forgery & Hijacking

    • Cross-site request forgery

    • Server-side request forgery

What to Expect?

  • Hands-on GraphQL Offensive Security Learning

  • Use your own GraphQL Hacking Lab to detect and exploit vulnerabilities

  • Utilize GraphQL hacking tools like Graphw00f to discover and fingerprint GraphQL implementations

  • Learn about the GraphQL server implementations ecosystem

  • Convert theoretical knowledge about GraphQL weaknesses and apply them to practical attacks

  • Write your own GraphQL exploit code to automate attacks

  • Bypass common defences using native GraphQL features like batched queries and field suggestions

  • Gain insight into current trends and future plans for GraphQL

Course Prerequisites

  • Knowledge of GraphQL’s Language and Type System (See: part 1 Foundational GraphQL Attack Surface Training)

  • Basic networking knowledge

  • Basic web application knowledge

  • Familiarity with vulnerability classes (OWASP Top 10 and OWASP API Top 10 is a great start!)

  • Basics of Bash and Python

  • Patience

About the Instructors

Dolev Farhi is the co-author of the No Starch Press book - Black Hat GraphQL and creator of multiple GraphQL hacking tools such as the Damn Vulnerable GraphQL Application (DVGA), graphw00f and GraphQL Cop. Dolev is also the principal security engineer at Wealthsimple, co-founded DEFCON Toronto, and has extensive experience leading security engineering teams in the fintech and cybersecurity industries. In his spare time, he researches vulnerabilities in IoT devices, builds offensive security tools, participates in CTF challenges, and contributes to Exploit-DB.

Nick Aleks is the other co-author of the No Starch Press book - Black Hat GraphQL and is also the creator of two GraphQL hacking utilities, the GraphQL Threat Matrix and CrackQL. Nick is also the senior director of security at Wealthsimple, the other co-founder of DEFCON Toronto, and CEO of ASEC.IO. He’s also a board member at HackStudent and The University of Guelph’s Master of Cybersecurity and Threat Intelligence program. He’s hacked everything from websites to safes, cars, and even smart buildings.

Course Learning Objectives

  • Master GraphQL hacking tools and understand how and why they work

  • Perform reconnaissance activities to detect GraphQL targets allowing you to fingerprint implementation details and tailor future attacks

  • Craft a myriad of GraphQL queries which could result in Denial of Service and system performance degradation

  • Disclose schema details by abusing introspection and learn how bypass controls intended to disable direct schema access

  • Analyze and attack GraphQL authentication and authorization controls, using features like alias-based batched queries to brute force credentials

  • Gain database and operating system access by injecting payloads into GraphQL operations

  • Forge and hijack GraphQL client sessions using GraphQL-specific CSRF, SSRF, and WebSocket-based GraphQL subscription attacks

  • Learn about publicly disclosed GraphQL vulnerabilities and the exploits through work of bug bounty hunters and security researchers

Who Should Attend

This training program is for anyone who is interested in learning how to break GraphQL APIs through applied offensive security testing. Whether you’re a penetration tester who has heard of GraphQL and want to develop your hacking expertise, a security analyst looking to improve your knowledge of how to defend GraphQL APIs, or a software engineer planning to build a GraphQL-backed application, you should gain a lot of useful information from this course.

  • Information security professionals

  • Bug hunters & Red Teamers

  • GraphQL Developers

  • Security Engineers & Analysts

  • Anyone with interest in understanding GraphQL exploitation

  • Ethical hackers and penetration testers looking to upgrade their GraphQL exploitation skills

Course Agenda

GraphQL Reconnaissance
  • Detecting GraphQL

    • Identifying Common Endpoints

    • GraphQL Detection Tools

      • Nmap

      • Graphw00f

      • Canary queries

    • Graphical Client Query Interface Detection

  • Introspection Information Gathering

    • Schema Visualization with Voyager and SpectaQL

    • Documentation Generation

    • Exploring Disabled Introspection

  • Fingerprinting GraphQL Implementations

    • Detecting Underlying Technology with Graphw00f

  • Identifying Implementation Weaknesses

    • GraphQL Threat Matrix

GraphQL Reconnaissance
  • Denial of Service Vectors

    • Circular Queries

      • Circular Relationships

      • Circular Introspection

      • Circular Fragments

    • Field Duplication

    • Alias Overloading

    • Directive Overloading

    • Object Limit Overriding

    • Array-Based Query Batching

    • GraphQL Cop DoS Audits

  • Denial of Service Defences

    • Query Cost Analysis

    • Query Depth Analysis

    • Alias & Array-based Query Batch Limits

    • Field Duplication Limits

    • Response Filtering

    • Query Allow Lists

    • Automatic Persistent Queries

    • Timeouts

    • Edge Workers & Web Application Firewalls

    • Gateway Proxies

  • Publicly Disclosed Bug Bounty Denial of Service Exploits

GraphQL Information Disclosure Attacks
  • Information Disclosure Vectors

  • Schema Extraction with InQL

  • Disabled Introspection Bypasses

    • Canary Queries

    • Exploiting non-production environments

    • Exploiting __type meta field

  • Abusing Field Suggestions

    • Edit Distance Algorithm

    • Upcoming Field Suggestion Security Considerations

  • Field Stuffing

    • Optimizing Field Stuffing Attacks

    • Type Stuffing

    • Automated Stuffing with Clairvoyance

  • Abusing Error Messages

    • Probing for Excessive Error Messages

    • Exploring Debug mode

    • Stack Trace Analysis

  • GET Request Method Information Leakage Attacks

  • Publicly Disclosed Bug Bounty Information Disclosure Exploits

GraphQL Authentication & Authorization Attacks
  • The state of authentication & authorization in GraphQL

    • In-Band vs Out-of-Band Auth

    • Common Approaches

  • Authentication Attacks

    • Detecting authentication controls

    • Brute forcing credentials with Alias-based Query Batches

    • Brute forcing credentials with CrackQL

    • Bypass authentication with Operation Names

    • Forging & Leaking JWT Credentials

  • Authorization Attacks

    • Detecting authorization controls

    • Enumerating data access paths with graphql-path-enum

    • Argument and Field brute forcing with CrackQL

  • Publicly Disclosed Bug Bounty Authentication & Authorization Exploits

GraphQL Authentication & Authorization Attacks
  • Injection Vectors

    • Malicious Input Refresher

    • Injection OWASP Top 10

  • GraphQL Injection Surface

    • Query Arguments

    • Field Arguments

    • Query Directive Arguments

    • Operation Names

  • GraphQL Input Entry Points

  • SQL Injection

    • Manual GraphQL SQLi

    • Automated GraphQL SQLi with Burp Suite

  • Operating System Injection

    • Resolver Function Weaknesses

    • Manual GraphQL OS Injection

    • Automated GraphQL OS Injection with Commix

  • Cross-Site Scripting

    • Reflected XSS

    • Stored XSS

    • DOM-based XSS

  • Publicly Disclosed Bug Bounty Injection Exploits

GraphQL Request Forgery & Hijacking Attacks
  • Cross-Site Request Forgery

    • Locating State-Change Actions

    • Detecting POST-based CSRF Attacks

    • Automated Submitting CSRF Forms

    • Detecting GET-based CSRF Attacks

    • Performing GET-based CSRF with HTML Injection

    • Automated CSRF attacks with BatchQL and GraphQL Cop

    • CSRF Defences

  • Server-Side Request Forgery

    • SSRF Vectors

    • Identifying Vulnerable Operations, Fields and Arguments

    • Testing for SSRF

    • SSRF Defences

  • Cross-Site WebSocket Hijacking

    • Detection GraphQL Subscription Operations

    • Hijacking Subscription Queries

    • CSWSH Defences

Included Course Material

  • Black Hat GraphQL Book (Signed Copy)

  • GraphQL Hacking Swag (T-Shirt, Hat, Stickers)

  • Training Slides

  • Script and Code Samples

  • GraphQL Hacking Lab Deployment Instructions

Hardware Requirements

  • A laptop capable of running a virtual machine (8 GB+ of RAM)

  • 40 GB free hard drive space

  • Software Requirements

  • Script and Code Samples

  • GraphQL Hacking Lab Deployment Instructions

Software Requirements

  • VMware Workstation/Player/Virtualization installed

  • Everyone should have Administrator privilege on their laptop

Continuously defend your organization's attack surface.

Proactively monitor all of your applications, servers, endpoints and cloud infrastructure by combining automation and expert-driven testing to continuously identify and remediate vulnerabilities.

Request a Demo Learn more
... ...
... ...