Research Academy
My account Customers About Blog Careers Legal Contact Resellers
Back to all learning paths
PRACTITIONER

GraphQL API vulnerabilities

This learning path explores common vulnerabilities associated with GraphQL APIs due to implementation and design flaws. You'll learn how to find GraphQL endpoints, bypass some common defenses, and exploit a range of GraphQL API vulnerabilities.

Contents

Get started: Finding GraphQL endpoints

0 of 29

GET STARTED

Finding GraphQL endpoints 0 of 6

Finding GraphQL endpoints Get started

Universal queries

Common endpoint names

Common endpoint names - Continued

Request methods

Initial testing

Exploiting unsanitized arguments 0 of 2

Exploiting unsanitized arguments

Exploiting unsanitized arguments - Continued

Discovering schema information 0 of 9

Discovering schema information

Using introspection

Probing for introspection

Running a full introspection query

Visualizing introspection results

Suggestions

Suggestions - Continued

Lab: Accessing private GraphQL posts APPRENTICE

Lab: Accidental exposure of private GraphQL fields PRACTITIONER

Bypassing GraphQL introspection defenses 0 of 3

Bypassing GraphQL introspection defenses

Bypassing GraphQL introspection defenses - Continued

Lab: Finding a hidden GraphQL endpoint PRACTITIONER

Bypassing rate limiting using aliases 0 of 3

Bypassing rate limiting using aliases

Bypassing rate limiting using aliases - Continued

Lab: Bypassing GraphQL brute force protections PRACTITIONER

GraphQL CSRF 0 of 3

GraphQL CSRF

How do CSRF over GraphQL vulnerabilities arise?

Lab: Performing CSRF exploits over GraphQL PRACTITIONER

Preventing GraphQL attacks 0 of 1

Preventing GraphQL attacks

Preventing GraphQL brute-force attacks 0 of 1

Preventing GraphQL brute force attacks

Preventing CSRF over GraphQL 0 of 1

Preventing CSRF over GraphQL