Back to All Events

Advanced Offensive GraphQL Security Training

  • secwest.net Vancouver Canada (map)

Course Details / Course Logistics

One Day Workshop / DOJO on March 19, 2024 (Tuesday)

Attendance available in the following avenues:

  • On-Line

  • In-Person

 

Course Abstract

Master GraphQL hacking from the authors who wrote Black Hat GraphQL. This (part 2) advanced hacking course builds on top of the foundational knowledge you gained about GraphQL internals in part 1. Leveraging a custom hacking lab, you’ll delve into the details of how to execute numerous GraphQL attacks such as:

  • Reconnaissance Techniques

  • Information Disclosure

  • Denial of Service Attacks

  • Authentication & Authorization Bypasses

  • Injection Exploits

  • Request Forgery & Hijacking

    • Cross-site request forgery

    • Server-side request forgery

 

What to Expect?

  • Hands-on GraphQL Offensive Security Learning

  • Use your own GraphQL Hacking Lab to detect and exploit vulnerabilities

  • Utilize GraphQL hacking tools like Graphw00f to discover and fingerprint GraphQL implementations

  • Learn about the GraphQL server implementations ecosystem

  • Convert theoretical knowledge about GraphQL weaknesses and apply them to practical attacks

  • Write your own GraphQL exploit code to automate attacks

  • Bypass common defences using native GraphQL features like batched queries and field suggestions

  • Gain insight into current trends and future plans for GraphQL

 

Course Prerequisites

  • Knowledge of GraphQL’s Language and Type System (See: part 1 Foundational GraphQL Attack Surface Training)

  • Basic networking knowledge

  • Basic web application knowledge

  • Familiarity with vulnerability classes (OWASP Top 10 and OWASP API Top 10 is a great start!)

  • Basics of Bash and Python

  • Patience

 

About the Instructor: Nick Aleks

Nick Aleks is a co-author of the No Starch Press book - Black Hat GraphQL and is also the creator of two GraphQL hacking utilities, the GraphQL Threat Matrix and CrackQL. Nick is also the senior director of security at Wealthsimple, the other co-founder of DEFCON Toronto, and CEO of ASEC.IO. He’s also a board member at HackStudent and The University of Guelph’s Master of Cybersecurity and Threat Intelligence program. He’s hacked everything from websites to safes, cars, and even smart buildings.

 

About the Instuctor: Jared Meit

Jared Meit, OSWE, has always had a passion for taking things apart, learning how they work, and forgetting how to put them back together. He was a professional software developer for 12 years before shifting his focus to Application Security 5 years ago. His dev experience allows him to create tools that developer's will actually want to use.

 

Course Learning Objectives

  • Master GraphQL hacking tools and understand how and why they work

  • Perform reconnaissance activities to detect GraphQL targets allowing you to fingerprint implementation details and tailor future attacks

  • Craft a myriad of GraphQL queries which could result in Denial of Service and system performance degradation

  • Disclose schema details by abusing introspection and learn how bypass controls intended to disable direct schema access

  • Analyze and attack GraphQL authentication and authorization controls, using features like alias-based batched queries to brute force credentials

  • Gain database and operating system access by injecting payloads into GraphQL operations

  • Forge and hijack GraphQL client sessions using GraphQL-specific CSRF, SSRF, and WebSocket-based GraphQL subscription attacks

  • Learn about publicly disclosed GraphQL vulnerabilities and the exploits through work of bug bounty hunters and security researchers

 

Who Should Attend

This training program is for anyone who is interested in learning how to break GraphQL APIs through applied offensive security testing. Whether you’re a penetration tester who has heard of GraphQL and want to develop your hacking expertise, a security analyst looking to improve your knowledge of how to defend GraphQL APIs, or a software engineer planning to build a GraphQL-backed application, you should gain a lot of useful information from this course.

  • Information security professionals

  • Bug hunters & Red Teamers

  • GraphQL Developers

  • Security Engineers & Analysts

  • Anyone with interest in understanding GraphQL exploitation

  • Ethical hackers and penetration testers looking to upgrade their GraphQL exploitation skills

 

Course Agenda

GraphQL Reconnaissance

  • Detecting GraphQL

    • Identifying Common Endpoints

    • GraphQL Detection Tools

      • Nmap

      • Graphw00f

      • Canary queries

    • Graphical Client Query Interface Detection

  • Introspection Information Gathering

    • Schema Visualization with Voyager and SpectaQL

    • Documentation Generation

    • Exploring Disabled Introspection

  • Fingerprinting GraphQL Implementations

    • Detecting Underlying Technology with Graphw00f

  • Identifying Implementation Weaknesses

    • GraphQL Threat Matrix

 

GraphQL Reconnaissance

  • Denial of Service Vectors

    • Circular Queries

      • Circular Relationships

      • Circular Introspection

      • Circular Fragments

    • Field Duplication

    • Alias Overloading

    • Directive Overloading

    • Object Limit Overriding

    • Array-Based Query Batching

    • GraphQL Cop DoS Audits

  • Denial of Service Defences

    • Query Cost Analysis

    • Query Depth Analysis

    • Alias & Array-based Query Batch Limits

    • Field Duplication Limits

    • Response Filtering

    • Query Allow Lists

    • Automatic Persistent Queries

    • Timeouts

    • Edge Workers & Web Application Firewalls

    • Gateway Proxies

  • Publicly Disclosed Bug Bounty Denial of Service Exploits

 

GraphQL Information Disclosure Attacks

  • Information Disclosure Vectors

  • Schema Extraction with InQL

  • Disabled Introspection Bypasses

    • Canary Queries

    • Exploiting non-production environments

    • Exploiting __type meta field

  • Abusing Field Suggestions

    • Edit Distance Algorithm

    • Upcoming Field Suggestion Security Considerations

  • Field Stuffing

    • Optimizing Field Stuffing Attacks

    • Type Stuffing

    • Automated Stuffing with Clairvoyance

  • Abusing Error Messages

    • Probing for Excessive Error Messages

    • Exploring Debug mode

    • Stack Trace Analysis

  • GET Request Method Information Leakage Attacks

  • Publicly Disclosed Bug Bounty Information Disclosure Exploits

 

GraphQL Authentication & Authorization Attacks

  • The state of authentication & authorization in GraphQL

    • In-Band vs Out-of-Band Auth

    • Common Approaches

  • Authentication Attacks

    • Detecting authentication controls

    • Brute forcing credentials with Alias-based Query Batches

    • Brute forcing credentials with CrackQL

    • Bypass authentication with Operation Names

    • Forging & Leaking JWT Credentials

  • Authorization Attacks

    • Detecting authorization controls

    • Enumerating data access paths with graphql-path-enum

    • Argument and Field brute forcing with CrackQL

  • Publicly Disclosed Bug Bounty Authentication & Authorization Exploits

 

GraphQL Injection Attacks

  • Injection Vectors

    • Malicious Input Refresher

    • Injection OWASP Top 10

  • GraphQL Injection Surface

    • Query Arguments

    • Field Arguments

    • Query Directive Arguments

    • Operation Names

  • GraphQL Input Entry Points

  • SQL Injection

    • Manual GraphQL SQLi

    • Automated GraphQL SQLi with Burp Suite

  • Operating System Injection

    • Resolver Function Weaknesses

    • Manual GraphQL OS Injection

    • Automated GraphQL OS Injection with Commix

  • Cross-Site Scripting

    • Reflected XSS

    • Stored XSS

    • DOM-based XSS

  • Publicly Disclosed Bug Bounty Injection Exploits

 

GraphQL Request Forgery & Hijacking Attacks

  • Cross-Site Request Forgery

    • Locating State-Change Actions

    • Detecting POST-based CSRF Attacks

    • Automated Submitting CSRF Forms

    • Detecting GET-based CSRF Attacks

    • Performing GET-based CSRF with HTML Injection

    • Automated CSRF attacks with BatchQL and GraphQL Cop

    • CSRF Defences

  • Server-Side Request Forgery

    • SSRF Vectors

    • Identifying Vulnerable Operations, Fields and Arguments

    • Testing for SSRF

    • SSRF Defences

  • Cross-Site WebSocket Hijacking

    • Detection GraphQL Subscription Operations

    • Hijacking Subscription Queries

    • CSWSH Defences

 

Included Course Material

  • Black Hat GraphQL Book (Signed Copy)

  • GraphQL Hacking Swag (T-Shirt, Hat, Stickers)

  • Training Slides

  • Script and Code Samples

  • GraphQL Hacking Lab Deployment Instructions

 

Hardware Requirements

  • A laptop capable of running a virtual machine (8 GB+ of RAM)

  • 40 GB free hard drive space

  • Software Requirements

  • Script and Code Samples

  • GraphQL Hacking Lab Deployment Instructions

 

Software Requirements

  • VMware Workstation/Player/Virtualization installed

  • Everyone should have Administrator privilege on their laptop

 
 
Previous
Previous
March 19

Teaching Burp to Speak GraphQL: Automated Security Scanning of Your GraphQL API with Burp

Next
Next
March 19

Media Effects used in Influence Operations