Want to learn about GraphQL hacking? Check out the resources below 👇
đź“ť Original Twitter Thread: https://twitter.com/drunkrhin0/status/1375038146409271300
1. Finding Your Next Bug: GraphQL
InsiderPhD hits a great balance of giving an overview of how GraphQL works and the common bugs you may find.
2. REST in Peace: Abusing GraphQL to Attack Underlying Infrastructure
rvrshell blew me away with the amount of detail from his Bugcrowd LevelUp talk. He goes into incredible amounts of detail about how GraphQL works and the workflow in attacking it. This is a must watch!
3. Hacking GraphQL for Beginners
Farah provides a great overview of GraphQL and gives some live examples using Burp Suite to hack it.
4. GraphQL Documentation
The GraphQL documentation is super well written (I’m sure this comes as a shock). The previous two videos do cover this to a degree but it’s always best from the horses mouth.
5. The 5 Most Common GraphQL Security Vulnerabilities
Aidan provides a great summary of the 5 most common GraphQL security vulnerabilities.
https://carvesystems.com/news/the-5-most-common-graphql-security-vulnerabilities/
6. HackTricks
You’ve dived in and still not sure how to begin? @carlospolopm (HackTricks) provides an amazing start to enumeration as well as some tools, extensions and references to help you.
This is one of my favourite sites and deserves a bookmark for sure!
https://book.hacktricks.xyz/pentesting/pentesting-web/graphql
7. GraphQL Voyager
Looking for an easy way to map out and understand the GraphQL logic? Check out GraphQl Voyager it represents any GraphQL API as an interactive graph. It’s like Bloodhound but for GraphQL. (8/10)
https://github.com/IvanGoncharov/graphql-voyager
8. Disclosed GraphQL Vulnerability
Looking for an example of a disclosed GraphQL bug? Have a look at this @Hacker0x01 report: https://hackerone.com/reports/291531
There are plenty more resources out there but this is just the start.