Скачать с ютуб Finding Your Next Bug: GraphQL в хорошем качестве

Finding Your Next Bug: GraphQL

GraphQL is becoming the next big API technology for developers, but with new technology comes new risk, and for us that means bounties! In this video, I cover everything GraphQL, from how it works to what kind of bugs are common. Next time we're going to expand on this and I'll show you how to do this live! Did you know this episode was sponsored by Intigriti? Sign up with my link http://go.intigriti.com/katie I'm so pleased with everyone's positive response to the Intigriti sponsorship and I'm so pleased you folks are finding bugs and even finding your first bugs! Thank you for being awesome! APIs continue to be one of my favourite things to hack, and in fact, after I learned GraphQL a week or so later I had my first bug in GraphQL, nothing too interesting just an IDOR. I was shocked by how easy it was! The syntax really does put people off but there are so many bugs waiting to be found!  Links - GraphQL Learn: https://graphql.org/learn/queries/ Introspection / general payloads: https://github.com/swisskyrepo/Payloa...   GraphQL Voyager: https://github.com/APIs-guru/graphql-... GraphQL IDE: https://github.com/andev-software/gra... Altair: https://altair.sirmuel.design InQL: https://github.com/doyensec/inql GraphQL Map: https://github.com/swisskyrepo/GraphQ... graphql-path-enum: https://gitlab.com/dee-see/graphql-pa... My video on Finding Bugs Using APIs:    • Finding Your First Bug: Finding Bugs ...   My video on the Top 10 API Bugs:    • Top 10 API Bugs (and Where to Find Them)   Farah's GraphQL Video:    • HACKING GraphQL FOR BEGINNERS + GIVEA...   A staff member with no permissions can edit Store Customer Email - $1,500: https://hackerone.com/reports/980511 H1514 [beerify.shopifycloud.com] GraphQL discloses internal beer consumption - $802.20: https://hackerone.com/reports/419883 latest_activity_id and latest_activity_at may disclose information about internal activities to unauthorized users - $1,000: https://hackerone.com/reports/724944 Hacktivity of a private program visible to banned user if he gets invited to a program by hackbot - $500: https://hackerone.com/reports/357485 Disclosure of `payment_transactions` for programs via GraphQL query - $2,500: https://hackerone.com/reports/707433 Insufficient Type Check leading to Developer ability to delete Project, Repository, Group, ... - $5,000: https://hackerone.com/reports/960244 / https://hackerone.com/reports/858671 Hacker101 GraphQL levels: https://www.hackerone.com/blog/graphq... NoSQL Injection: http://www.petecorey.com/blog/2017/06... HackTricks - GraphQL: https://book.hacktricks.xyz/pentestin... GraphQL Security Overview: https://blog.doyensec.com/2018/05/17/... Social Media - Discord: https://insiderphd.dev/discord Patreon:   / insiderphd   Twitter:   / insiderphd   Patreon Shoutouts - Yagami Panda Niklas Penny Wardell Castles strongbeard Gynvael Ram James Clee Timestamps - 0:00 What is GraphQL and Why Hack it? 9:28 Writing Queries/Mutations and How They Work 22:56 Introspection and Recon 32:28 GraphQL Tools 36:18 GraphQL Bugs In The Wild 45:43 How to Hack GraphQL APIs