Foundational GraphQL API Attack Surface Training

Course Abstract

Learn about GraphQL hacking from the authors who wrote Black Hat GraphQL. This crash course into GraphQL will give you a hands-on approach to learning about how this rapidly adopted API technology works and how its internals can be used as attack vectors.

• Basics of GraphQL communications, language and type system

• Build your own GraphQL hacking lab with a vulnerable target server and popular GraphQL hacking utilities

• Understand the basics of GraphQL vulnerabilities

What to Expect?

• Hands-on GraphQL Learning, from zero to hero

• Build your own GraphQL Hacking Lab

• In-depth overview of GraphQL’s Language & Type System, and the software ecosystem

• High level introduction to common GraphQL weaknesses

• Gain foundational knowledge required to execute advanced offensive GraphQL attacks

Course Prerequisites

• Basic networking knowledge

• Basic web application knowledge

• Familiarity with vulnerability classes (OWASP Top 10 and OWASP API Top 10 is a great start!)

• Basics of Bash and Python

• Patience

About the Instructor: Nick Aleks

Nick Aleks is the other co-author of the No Starch Press book - Black Hat GraphQL and is also the creator of two GraphQL hacking utilities, the GraphQL Threat Matrix and CrackQL. Nick is also the senior director of security at Wealthsimple, the other co-founder of DEFCON Toronto, and CEO of ASEC.IO. He’s also a board member at HackStudent and The University of Guelph’s Master of Cybersecurity and Threat Intelligence program. He’s hacked everything from websites to safes, cars, and even smart buildings.

About the Instuctor: Jared Meit

Jared Meit, OSWE, has always had a passion for taking things apart, learning how they work, and forgetting how to put them back together. He was a professional software developer for 12 years before shifting his focus to Application Security 5 years ago. His dev experience allows him to create tools that developer's will actually want to use.

Course Learning Objectives

• You’ll explore and learn GraphQL through the lens of a hacker

• Understand why some of the biggest companies are starting to use GraphQL and how it compares to RESTful APIs

• Discover GraphQL’s internals and understand how its language and type system can be manipulated against itself

• Establish your own GraphQL hacking lab, complete with a dedicated GraphQL API target to perform your attacks against

• Execute your first few GraphQL queries and get comfortable with this new API paradigm.

Who Should Attend

This training program is for anyone who is interested in learning how to break GraphQL APIs through applied offensive security testing. Whether you’re a penetration tester who has heard of GraphQL and want to develop your hacking expertise, a security analyst looking to improve your knowledge of how to defend GraphQL APIs, or a software engineer planning to build a GraphQL-backed application, you should gain a lot of useful information from this course.

• Information security professionals

• Bug hunters & Red Teamers

• GraphQL Developers

• Security Engineers & Analysts

• Anyone with interest in understanding GraphQL exploitation

• Ethical hackers and penetration testers looking to upgrade their GraphQL exploitation skills

Course Agenda

GraphQL Introduction

• What is GraphQL?

• Origin

• The GraphQL Specification

• GraphQL Communications

• The GraphQL Specification

• Schema

• Root Types

• Parsers & Resolvers

• GraphQL vs REST API

• Hands on GraphQL Queries

GraphQL Security Lab Development

• Security Precautions

• Virtual Environment Setup

• Installing GraphQL clients

• GUI Clients

• CLI Clients

• Setting up a Vulnerable GraphQL Server

• Deploying & Testing Damn Vulnerable GraphQL Application (DVGA)

• Installing GraphQL Hacking Tools

• Burp Suite

• Clairvoyance

• InQL

• Graphw00f

• BatchQL

• Nmap

• Commix

• graphql-path-enum

• EyeWitness

• GraphQL Cop

• CrackQL

GraphQL Internals & Attack Surface

• Attack Surface Introduction

• The GraphQL Language

• Operation Types

• Operation Names

• Fields

• Arguments

• Aliases

• Fragments

• Variables

• Directives

• GraphQL Data Types

• Objects

• Scalars

• Enums

• Unions

• Interfaces

• Inputs

• Introspection

• Validation & Execution Phases

• GraphQL Weaknesses (Primer for Advance Course)

• Specification Rules & Implementation Weaknesses

• Denial of Service

• Information Disclosure

• Authentication & Authorization Bypasses

• Injection

• Request Forgery & Hijacking

Included Course Material

• Black Hat GraphQL Book (Signed Copy)

• GraphQL Hacking Swag (T-Shirt, Hat, Stickers)

• Training Slides

• Script and Code Samples

• GraphQL Hacking Lab Deployment Instructions

Hardware Requirements

• A laptop capable of running a virtual machine (8 GB+ of RAM)

• 40 GB free hard drive space

• Software Requirements

• Script and Code Samples

• GraphQL Hacking Lab Deployment Instructions

Software Requirements

• VMware Workstation/Player/Virtualization installed

• Everyone should have Administrator privilege on their laptop