REST in Peace - Abusing GraphQL to Attack Underlying Infrastructure

Explore the security implications of GraphQL APIs in this conference talk from Bugcrowd's LevelUp 0x05 event. Learn about the potential vulnerabilities in GraphQL implementations and how attackers can exploit them to target underlying infrastructure. Gain insights into GraphQL-specific attack techniques, adapted traditional methods, and strategies for efficiently testing large GraphQL schemas. Discover how to leverage introspection queries, identify implementation errors, and navigate challenges when introspection is disabled. Examine real-world examples, understand protective measures, and get introduced to new tools for streamlining GraphQL security assessments. Equip yourself with the knowledge to approach GraphQL from a hacker's perspective and conduct thorough security evaluations of this increasingly popular API technology.

Intro
GraphQL
GraphQL Schema
GraphQL introspection queries
GraphQL endpoints
GraphQL bloopers
How to attack GraphQL
What to do if introspection is disabled
Attack techniques
Protecting GraphQL
ShapeShifter
Questions
Understanding GraphQL
Hacker 101
Realworld example
What is GraphQL