Wednesday, October 2, 2019

2019-035-Matt_szymanski-attack and defense of GraphQL-Part1





Derbycon Discussion (bring Matt in)

 

Python course: 

https://brakesec.com/brakesecpythonclass 



PDF Slides: https://drive.google.com/file/d/1wmxrfgbaHu56kfccLoOd5M3Zz6bNP6Qi/view?usp=sharing 

 

GraphQL High Level

https://graphql.org/

Designed to replace REST Arch

Allow you to make a large request, uses a query language

Released by FB in 2012

JSON 

 

Learn Enough to be dangerous

https://blog.bitsrc.io/13-graphql-tools-and-libraries-you-should-know-in-2019-e4b9005f6fc2

 

WSDL: https://www.w3.org/TR/2001/NOTE-wsdl-20010315

 

Vulns in the Wild

 

Abusing GraphQL 

 

OWASP Deserialization Cheat Sheet - https://cheatsheetseries.owasp.org/cheatsheets/Deserialization_Cheat_Sheet.html



Attack Techniques

https://www.apollographql.com/docs/apollo-server/data/data/

https://github.com/graphql/graphiql



Protecting GraphQL

 

https://github.com/maticzav/graphql-shield

 

Magento 2 (runs GraphQL), hard to update…

 

https://github.com/szski/shapeshifter - Matt’s tool on Shapeshifter

 

GraphQL implementations inside (ecosystem packages?)

 

Infosec Campout 2020 occurring (28-29 Aug 2020, Carnation, WA)

Patreon supporters  (Josh P and David G)

Teepub: https://www.teepublic.com/user/bdspodcast

 

For Amanda next:

https://www.cybercareersummit.com/

& keynote @grrcon oct 24/25

 

Check out our Store on Teepub! https://brakesec.com/store

Join us on our #Slack Channel! Send a request to @brakesec on Twitter or email bds.podcast@gmail.com

#Brakesec Store!:https://www.teepublic.com/user/bdspodcast

#Spotifyhttps://brakesec.com/spotifyBDS

#RSShttps://brakesec.com/BrakesecRSS

#Youtube Channel:  http://www.youtube.com/c/BDSPodcast

#iTunes Store Link: https://brakesec.com/BDSiTunes

#Google Play Store: https://brakesec.com/BDS-GooglePlay

Our main site:  https://brakesec.com/bdswebsite

#iHeartRadio App:  https://brakesec.com/iHeartBrakesec

#SoundCloudhttps://brakesec.com/SoundcloudBrakesec

Comments, Questions, Feedback: bds.podcast@gmail.com

Support Brakeing Down Security Podcast by using our #Paypalhttps://brakesec.com/PaypalBDS OR our #Patreon

https://brakesec.com/BDSPatreon

#Twitter@brakesec @boettcherpwned @bryanbrake @infosystir

#Player.FM : https://brakesec.com/BDS-PlayerFM

#Stitcher Network: https://brakesec.com/BrakeSecStitcher

#TuneIn Radio App: https://brakesec.com/TuneInBrakesec


Download here!

No comments: