2019-036-RvrShell-graphql_defense-Part2
Published October 9, 2019
|
57 min
    Download
    Add to queue
    Copy URL
    Show notes

    Secure Python course: 

    https://brakesec.com/brakesecpythonclass 

    PDF Slides: https://drive.google.com/file/d/1wmxrfgbaHu56kfccLoOd5M3Zz6bNP6Qi/view?usp=sharing 

     

    GraphQL High Level

    https://graphql.org/

    Designed to replace REST Arch

    Allow you to make a large request, uses a query language

    Released by FB in 2012

    JSON 

     

    Learn Enough to be dangerous

    https://blog.bitsrc.io/13-graphql-tools-and-libraries-you-should-know-in-2019-e4b9005f6fc2

     

    WSDL: https://www.w3.org/TR/2001/NOTE-wsdl-20010315

     

    Vulns in the Wild

     

    Abusing GraphQL 

     

    OWASP Deserialization Cheat Sheet - https://cheatsheetseries.owasp.org/cheatsheets/Deserialization_Cheat_Sheet.html

     

    Attack Techniques

    https://www.apollographql.com/docs/apollo-server/data/data/

    https://github.com/graphql/graphiql

     

    Protecting GraphQL

     

    https://github.com/maticzav/graphql-shield

     

    Magento 2 (runs GraphQL), hard to update…

     

    https://github.com/szski/shapeshifter - Matt’s tool on Shapeshifter

     

    GraphQL implementations inside (ecosystem packages?)

     

    Infosec Campout 2020 occurring (28-29 Aug 2020, Carnation, WA)

    Patreon supporters  (Josh P and David G)

    Teepub: https://www.teepublic.com/user/bdspodcast

     

    For Amanda next:

    https://www.cybercareersummit.com/

    & keynote @grrcon oct 24/25

     

    Check out our Store on Teepub! https://brakesec.com/store

    Join us on our #Slack Channel! Send a request to @brakesec on Twitter or email bds.podcast@gmail.com

    #Brakesec Store!:https://www.teepublic.com/user/bdspodcast

    #Spotifyhttps://brakesec.com/spotifyBDS

    #RSShttps://brakesec.com/BrakesecRSS

    #Youtube Channel:  http://www.youtube.com/c/BDSPodcast

    #iTunes Store Link: https://brakesec.com/BDSiTunes

    #Google Play Store: https://brakesec.com/BDS-GooglePlay

    Our main site:  https://brakesec.com/bdswebsite

    #iHeartRadio App:  https://brakesec.com/iHeartBrakesec

    #SoundCloudhttps://brakesec.com/SoundcloudBrakesec

    Comments, Questions, Feedback: bds.podcast@gmail.com

    Support Brakeing Down Security Podcast by using our #Paypalhttps://brakesec.com/PaypalBDS OR our #Patreon

    https://brakesec.com/BDSPatreon

    #Twitter@brakesec @boettcherpwned @bryanbrake @infosystir

    #Player.FM : https://brakesec.com/BDS-PlayerFM

    #Stitcher Network: https://brakesec.com/BrakeSecStitcher

    #TuneIn Radio App: https://brakesec.com/TuneInBrakesec

      15
      15
        0:00:00 / 0:00:00