2019-035-Matt_szymanski-attack and defense of GraphQL-Part1
Derbycon Discussion (bring Matt in)
Python course:
https://brakesec.com/brakesecpythonclass
PDF Slides: https://drive.google.com/file/d/1wmxrfgbaHu56kfccLoOd5M3Zz6bNP6Qi/view?usp=sharing
GraphQL High Level
https://graphql.org/
Designed to replace REST Arch
Allow you to make a large request, uses a query language
Released by FB in 2012
JSON
Learn Enough to be dangerous
https://blog.bitsrc.io/13-graphql-tools-and-libraries-you-should-know-in-2019-e4b9005f6fc2
WSDL: https://www.w3.org/TR/2001/NOTE-wsdl-20010315
Vulns in the Wild
Abusing GraphQL
OWASP Deserialization Cheat Sheet - https://cheatsheetseries.owasp.org/cheatsheets/Deserialization_Cheat_Sheet.html
Attack Techniques
https://www.apollographql.com/docs/apollo-server/data/data/
https://github.com/graphql/graphiql
Protecting GraphQL
https://github.com/maticzav/graphql-shield
Magento 2 (runs GraphQL), hard to update…
https://github.com/szski/shapeshifter - Matt’s tool on Shapeshifter
GraphQL implementations inside (ecosystem packages?)
Infosec Campout 2020 occurring (28-29 Aug 2020, Carnation, WA)
Patreon supporters (Josh P and David G)
Teepub: https://www.teepublic.com/user/bdspodcast
For Amanda next:
https://www.cybercareersummit.com/
& keynote @grrcon oct 24/25
Check out our Store on Teepub! https://brakesec.com/store
Join us on our #Slack Channel! Send a request to @brakesec on Twitter or email bds.podcast@gmail.com
#Brakesec Store!:https://www.teepublic.com/user/bdspodcast
#Spotify: https://brakesec.com/spotifyBDS
#RSS: https://brakesec.com/BrakesecRSS
#Youtube Channel: http://www.youtube.com/c/BDSPodcast
#iTunes Store Link: https://brakesec.com/BDSiTunes
#Google Play Store: https://brakesec.com/BDS-GooglePlay
Our main site: https://brakesec.com/bdswebsite
#iHeartRadio App: https://brakesec.com/iHeartBrakesec
#SoundCloud: https://brakesec.com/SoundcloudBrakesec
Comments, Questions, Feedback: bds.podcast@gmail.com
Support Brakeing Down Security Podcast by using our #Paypal: https://brakesec.com/PaypalBDS OR our #Patreon
https://brakesec.com/BDSPatreon
#Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir
#Player.FM : https://brakesec.com/BDS-PlayerFM
#Stitcher Network: https://brakesec.com/BrakeSecStitcher
#TuneIn Radio App: https://brakesec.com/TuneInBrakesec
Create your
podcast in
minutes
It is Free