Book description
Black Hat GraphQL is for anyone interested in learning how to break and protect GraphQL APIs with the aid of offensive security testing. Whether you’re a penetration tester, security analyst, or software engineer, you’ll learn how to attack GraphQL APIs, develop hardening procedures, build automated security testing into your development pipeline, and validate controls, all with no prior exposure to GraphQL required.
Following an introduction to core concepts, you’ll build your lab, explore the difference between GraphQL and REST APIs, run your first query, and learn how to create custom queries.
You’ll also learn how to:
•Use data collection and target mapping to learn about targets
•Defend APIs against denial-of-service attacks and exploit insecure configurations in GraphQL servers to gather information on hardened targets
•Impersonate users and take admin-level actions on a remote server
•Uncover injection-based vulnerabilities in servers, databases, and client browsers
•Exploit cross-site and server-side request forgery vulnerabilities, as well as cross-site WebSocket hijacking, to force a server to request sensitive information on your behalf
•Dissect vulnerability disclosure reports and review exploit code to reveal how vulnerabilities have impacted large companies
This comprehensive resource provides everything you need to defend GraphQL APIs and build secure applications. Think of it as your umbrella in a lightning storm.
Table of contents
- Title Page
- Copyright
- About the Authors
- Foreword
- Acknowledgments
- Introduction
- Chapter 1: A Primer on GraphQL
- Chapter 2: Setting Up a GraphQL Security Lab
- Chapter 3: The GraphQL Attack Surface
- Chapter 4: Reconnaissance
- Chapter 5: Denial of Service
-
Chapter 6: Information Disclosure
- Identifying Information Disclosure Vectors in GraphQL
- Automating Schema Extraction with InQL
- Overcoming Disabled Introspection
- Using Field Suggestions
- Using Field Stuffing
- Type Stuffing in the __type Meta-field
- Automating Field Suggestion and Stuffing Using Clairvoyance
- Abusing Error Messages
- Leaking Data by Using GET-Based Queries
- Summary
- Chapter 7: Authentication and Authorization Bypasses
- Chapter 8: Injection
- Chapter 9: Request Forgery and Hijacking
- Chapter 10: Disclosed Vulnerabilities and Exploits
- Appendix A: GraphQL API Testing Checklist
- Appendix B: GraphQL Security Resources
- Index
Product information
- Title: Black Hat GraphQL
- Author(s):
- Release date: May 2023
- Publisher(s): No Starch Press
- ISBN: 9781718502840
You might also like
book
Black Hat Go
Black Hat Go explores the darker side of Go, the popular programming language revered by hackers …
book
Black Hat Python, 2nd Edition
When it comes to creating powerful and effective hacking tools, Python is the language of choice …
book
Learning Go, 2nd Edition
Go has rapidly become the preferred language for building web services. Plenty of tutorials are available …
book
Grokking Algorithms
Grokking Algorithms is a fully illustrated, friendly guide that teaches you how to apply common algorithms …