Course Details / Course Logistics
One Day Workshop / DOJO on March 19, 2024 (Tuesday)
Attendance available in the following avenues:
On-Line
In-Person
Course Abstract
Master GraphQL hacking from the authors who wrote Black Hat GraphQL. This (part 2) advanced hacking course builds on top of the foundational knowledge you gained about GraphQL internals in part 1. Leveraging a custom hacking lab, you’ll delve into the details of how to execute numerous GraphQL attacks such as:
Reconnaissance Techniques
Information Disclosure
Denial of Service Attacks
Authentication & Authorization Bypasses
Injection Exploits
Request Forgery & Hijacking
Cross-site request forgery
Server-side request forgery
What to Expect?
Hands-on GraphQL Offensive Security Learning
Use your own GraphQL Hacking Lab to detect and exploit vulnerabilities
Utilize GraphQL hacking tools like Graphw00f to discover and fingerprint GraphQL implementations
Learn about the GraphQL server implementations ecosystem
Convert theoretical knowledge about GraphQL weaknesses and apply them to practical attacks
Write your own GraphQL exploit code to automate attacks
Bypass common defences using native GraphQL features like batched queries and field suggestions
Gain insight into current trends and future plans for GraphQL
Course Prerequisites
Knowledge of GraphQL’s Language and Type System (See: part 1 Foundational GraphQL Attack Surface Training)
Basic networking knowledge
Basic web application knowledge
Familiarity with vulnerability classes (OWASP Top 10 and OWASP API Top 10 is a great start!)
Basics of Bash and Python
Patience
About the Instructor: Nick Aleks
Nick Aleks is a co-author of the No Starch Press book - Black Hat GraphQL and is also the creator of two GraphQL hacking utilities, the GraphQL Threat Matrix and CrackQL. Nick is also the senior director of security at Wealthsimple, the other co-founder of DEFCON Toronto, and CEO of ASEC.IO. He’s also a board member at HackStudent and The University of Guelph’s Master of Cybersecurity and Threat Intelligence program. He’s hacked everything from websites to safes, cars, and even smart buildings.
About the Instuctor: Jared Meit
Jared Meit, OSWE, has always had a passion for taking things apart, learning how they work, and forgetting how to put them back together. He was a professional software developer for 12 years before shifting his focus to Application Security 5 years ago. His dev experience allows him to create tools that developer's will actually want to use.
Course Learning Objectives
Master GraphQL hacking tools and understand how and why they work
Perform reconnaissance activities to detect GraphQL targets allowing you to fingerprint implementation details and tailor future attacks
Craft a myriad of GraphQL queries which could result in Denial of Service and system performance degradation
Disclose schema details by abusing introspection and learn how bypass controls intended to disable direct schema access
Analyze and attack GraphQL authentication and authorization controls, using features like alias-based batched queries to brute force credentials
Gain database and operating system access by injecting payloads into GraphQL operations
Forge and hijack GraphQL client sessions using GraphQL-specific CSRF, SSRF, and WebSocket-based GraphQL subscription attacks
Learn about publicly disclosed GraphQL vulnerabilities and the exploits through work of bug bounty hunters and security researchers
Who Should Attend
This training program is for anyone who is interested in learning how to break GraphQL APIs through applied offensive security testing. Whether you’re a penetration tester who has heard of GraphQL and want to develop your hacking expertise, a security analyst looking to improve your knowledge of how to defend GraphQL APIs, or a software engineer planning to build a GraphQL-backed application, you should gain a lot of useful information from this course.
Information security professionals
Bug hunters & Red Teamers
GraphQL Developers
Security Engineers & Analysts
Anyone with interest in understanding GraphQL exploitation
Ethical hackers and penetration testers looking to upgrade their GraphQL exploitation skills
Course Agenda
GraphQL Reconnaissance
Detecting GraphQL
Identifying Common Endpoints
GraphQL Detection Tools
Nmap
Graphw00f
Canary queries
Graphical Client Query Interface Detection
Introspection Information Gathering
Schema Visualization with Voyager and SpectaQL
Documentation Generation
Exploring Disabled Introspection
Fingerprinting GraphQL Implementations
Detecting Underlying Technology with Graphw00f
Identifying Implementation Weaknesses
GraphQL Threat Matrix
GraphQL Reconnaissance
Denial of Service Vectors
Circular Queries
Circular Relationships
Circular Introspection
Circular Fragments
Field Duplication
Alias Overloading
Directive Overloading
Object Limit Overriding
Array-Based Query Batching
GraphQL Cop DoS Audits
Denial of Service Defences
Query Cost Analysis
Query Depth Analysis
Alias & Array-based Query Batch Limits
Field Duplication Limits
Response Filtering
Query Allow Lists
Automatic Persistent Queries
Timeouts
Edge Workers & Web Application Firewalls
Gateway Proxies
Publicly Disclosed Bug Bounty Denial of Service Exploits
GraphQL Information Disclosure Attacks
Information Disclosure Vectors
Schema Extraction with InQL
Disabled Introspection Bypasses
Canary Queries
Exploiting non-production environments
Exploiting __type meta field
Abusing Field Suggestions
Edit Distance Algorithm
Upcoming Field Suggestion Security Considerations
Field Stuffing
Optimizing Field Stuffing Attacks
Type Stuffing
Automated Stuffing with Clairvoyance
Abusing Error Messages
Probing for Excessive Error Messages
Exploring Debug mode
Stack Trace Analysis
GET Request Method Information Leakage Attacks
Publicly Disclosed Bug Bounty Information Disclosure Exploits
GraphQL Authentication & Authorization Attacks
The state of authentication & authorization in GraphQL
In-Band vs Out-of-Band Auth
Common Approaches
Authentication Attacks
Detecting authentication controls
Brute forcing credentials with Alias-based Query Batches
Brute forcing credentials with CrackQL
Bypass authentication with Operation Names
Forging & Leaking JWT Credentials
Authorization Attacks
Detecting authorization controls
Enumerating data access paths with graphql-path-enum
Argument and Field brute forcing with CrackQL
Publicly Disclosed Bug Bounty Authentication & Authorization Exploits
GraphQL Injection Attacks
Injection Vectors
Malicious Input Refresher
Injection OWASP Top 10
GraphQL Injection Surface
Query Arguments
Field Arguments
Query Directive Arguments
Operation Names
GraphQL Input Entry Points
SQL Injection
Manual GraphQL SQLi
Automated GraphQL SQLi with Burp Suite
Operating System Injection
Resolver Function Weaknesses
Manual GraphQL OS Injection
Automated GraphQL OS Injection with Commix
Cross-Site Scripting
Reflected XSS
Stored XSS
DOM-based XSS
Publicly Disclosed Bug Bounty Injection Exploits
GraphQL Request Forgery & Hijacking Attacks
Cross-Site Request Forgery
Locating State-Change Actions
Detecting POST-based CSRF Attacks
Automated Submitting CSRF Forms
Detecting GET-based CSRF Attacks
Performing GET-based CSRF with HTML Injection
Automated CSRF attacks with BatchQL and GraphQL Cop
CSRF Defences
Server-Side Request Forgery
SSRF Vectors
Identifying Vulnerable Operations, Fields and Arguments
Testing for SSRF
SSRF Defences
Cross-Site WebSocket Hijacking
Detection GraphQL Subscription Operations
Hijacking Subscription Queries
CSWSH Defences
Included Course Material
Black Hat GraphQL Book (Signed Copy)
GraphQL Hacking Swag (T-Shirt, Hat, Stickers)
Training Slides
Script and Code Samples
GraphQL Hacking Lab Deployment Instructions
Hardware Requirements
A laptop capable of running a virtual machine (8 GB+ of RAM)
40 GB free hard drive space
Software Requirements
Script and Code Samples
GraphQL Hacking Lab Deployment Instructions
Software Requirements
VMware Workstation/Player/Virtualization installed
Everyone should have Administrator privilege on their laptop