Introduction to GraphQL Attacks

Опубликовано: 25 Март 2024
на канале: Intigriti

3,232

132

👩‍🎓👨‍🎓 Learn about GraphQL API vulnerabilities! This video provides an introduction to GraphQL; What is it? How does it work? What are schemas, queries, mutations, fields, arguments, variables, aliases, fragments etc? How do subscriptions and introspection work? How can we work with GraphQL APIs in burp suite? How to find endpoints, exploit unsanitised arguments, discover schema info etc. This theory-focused video will provide the fundamental background knowledge required for the practical labs, covered in future videos 🔜

If you're struggling with the concepts covered in this video, please review https://portswigger.net/web-security/... + https://portswigger.net/burp/document... + https://portswigger.net/web-security/... 🧠

🔗 ‪@PortSwiggerTV‬ challenge: https://portswigger.net/web-security/...

🧑💻 Sign up and start hacking right now - https://go.intigriti.com/register

👾 Join our Discord - https://go.intigriti.com/discord

🎙️ This show is hosted by / _cryptocat ( ‪@_CryptoCat‬ ) & / intigriti

👕 Do you want some Intigriti Swag? Check out https://swag.intigriti.com

Overview:
0:00 Intro
0:30 GraphQL API vulnerabilities
1:11 What is GraphQL?
1:48 How GraphQL works
2:39 What is a GraphQL schema?
3:25 What are GraphQL queries?
4:21 What are GraphQL mutations?
5:17 Components of queries and mutations
5:23 Components: fields
5:50 Components: arguments
6:20 Components: variables
7:19 Components: aliases
8:05 Components: fragments
8:30 Subscriptions
9:00 Introspection
9:38 Working with GraphQL in Burp Suite
11:53 Finding GraphQL endpoints
13:50 Exploiting unsanitized arguments
14:43 Discovering schema information
17:39 Conclusion