Damn GraphQL - Attacking and Defending APIs • NorthSec 2021

Security teams are in a never ending race against new uprising technologies. Often, these technologies are not secure by default and require deep research to defend them, ain order to succeed in balancing technology adoption with security. The challenge with new technologies is that the security knowledge and tooling may not be as mature as with older technologies. This talk will provide insight into GraphQL, a REST API alternative and focus on how to run security tests against it, as well as defend against the various possible attack vectors.

WIth the uprising of GraphQL as a technology, a query language made by Facebook, security professionals must be ready for the day GraphQL hits their company’s networks.

In this talk, we will walk through GraphQL basics, followed by a deep dive into the various GraphQL attack vectors, from Information Gathering to Denial of Service and Injections.

Additionally, we will discuss a recent security platform release - Damn Vulnerable GraphQL Application (DVGA), a platform made for security practitioners to learn GraphQL and its various weaknesses in a safe testing environment.

Dolev Farhi Principal Security Engineer, Wealthsimple

Dolev is a security engineer and author with extensive experience leading security engineering teams in complex environments and scale in the Fintech and cyber security industries. Currently, he is the Principal Security Engineer at Wealthsimple, building defences for one of the fastest Fintech companies in North America.

Dolev has previously worked for several security firms and provided training for official Linux certification tracks. He is one of the founders of DEFCON Toronto (DC416), a popular Toronto-based hacker group. In his spare time, he enjoys researching vulnerabilities in IoT devices, participating and building CTF challenges and contributing exploits to Exploit-DB.