Hacking GraphQL 101

السَّلاَمُ عَلَيْكُمْ وَرَحْمَةُ اللهِ وَبَرَكَاتُهُ

Hello everyone! I'm excited to share the recent presentation I gave on Hacking GraphQL 101 - Exploring & Exploiting Vulnerabilities in GraphQL API's at NULL Hyderabad meetup on Feb 22, 2025. In this session, we delved into the GraphQL security such as

What is GraphQL? - A brief explanation of GraphQL as a query language and runtime, highlighting the differences from REST APIs.

Terminology of GraphQL - Introduced core concepts like Query, Mutation, Subscription, and Resolver, which are fundamental to understanding GraphQL.

Discovery of GraphQL - Techniques to find GraphQL APIs, which is crucial for penetration testers and security researchers.

Finding Misconfigurations - Covered both manual and automated approaches to identify common issues in GraphQL APIs, including overly permissive schemas and weak authorization.

Pentesting GraphQL APIs - A practical guide to pentesting GraphQL APIs, focusing on exploiting misconfigurations and weak access control.

Hardening GraphQL APIs - A list of best practices to secure GraphQL APIs, which can be implemented by developers to prevent security issues.

You can find the slides Hacking GraphQL 101. Stay curious and keep learning! 🙌