Damn GraphQL - Attacking and Defending APIs

Back to the list of Speakers and Sessions
Watch the stream
Security teams are in a never ending race against new uprising technologies. Often, these technologies are not secure by default and require deep research to defend them, ain order to succeed in balancing technology adoption with security. The challenge with new technologies is that the security knowledge and tooling may not be as mature as with older technologies. This talk will provide insight into GraphQL, a REST API alternative and focus on how to run security tests against it, as well as defend against the various possible attack vectors.

WIth the uprising of GraphQL as a technology, a query language made by Facebook, security professionals must be ready for the day GraphQL hits their company’s networks.

In this talk, we will walk through GraphQL basics, followed by a deep dive into the various GraphQL attack vectors, from Information Gathering to Denial of Service and Injections.

Additionally, we will discuss a recent security platform release - Damn Vulnerable GraphQL Application (DVGA), a platform made for security practitioners to learn GraphQL and its various weaknesses in a safe testing environment.