Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Pentesting GraphQL APIs

Avatar for Arun Arun
July 17, 2020
Technology
0
200

Pentesting GraphQL APIs

Avatar for Arun

Arun

July 17, 2020
Tweet

More Decks by Arun

See All by Arun
Offensive-GraphQL-API-Exploitation
Avatar for Arun hehacks
1
330
OWASP DevSlop
Avatar for Arun hehacks
0
32
Android Pentesting For Beginners - RE & Static Code Analysis
Avatar for Arun hehacks
0
110
iOS Pentesting for Beginners
Avatar for Arun hehacks
1
41
Metasploit Database Usage
Avatar for Arun hehacks
0
34

Other Decks in Technology

See All in Technology
Claude Code 2026年 最新アップデート
Avatar for Oikon oikon48
13
10k
AIエージェント、 社内展開の前に知っておきたいこと
Avatar for oracle4engineer oracle4engineer
PRO
2
140
AWS CDK「読めるけど書けない」を脱却するファーストステップ
Avatar for Makky12 smt7174
3
120
楽しく学ぼう!ネットワーク入門
Avatar for Shota Shiratori shotashiratori
1
380
The_Evolution_of_Bits_AI_SRE.pdf
Avatar for 株式会社ヌーラボ nulabinc
PRO
0
220
AIエージェント時代に備える AWS Organizations とアカウント設計
Avatar for Hajime KOSHIRO kossykinto
3
1k
身体を持ったパーソナルAIエージェントの 可能性を探る開発
Avatar for yoko / Naoki Yokomachi yokomachi
1
120
僕、S3  シンプルって名前だけど全然シンプルじゃありません よろしくお願いします
Avatar for Yuuki Yamashita yama3133
1
220
Claude Code のコード品質がばらつくので AI に品質保証させる仕組みを作った話 / A story about building a mechanism to have AI ensure quality, because the code quality from Claude Code was inconsistent
Avatar for nrs nrslib
13
8k
複数クラスタ運用と検索の高度化:ビズリーチにおけるElastic活用事例 / ElasticON Tokyo2026
Avatar for Visional Engineering & Design visional_engineering_and_design
0
160
会社紹介資料 / Sansan Company Profile
Avatar for Sansan, Inc. sansan33
PRO
16
410k
2026年もソフトウェアサプライチェーンのリスクに立ち向かうために / Product Security Square #3
Avatar for GMO Flatt Security flatt_security
1
310

Featured

See All Featured
Leading Effective Engineering Teams in the AI Era
Avatar for Addy Osmani addyosmani
9
1.7k
Are puppies a ranking factor?
Avatar for Jono Alderson jonoalderson
1
3.1k
Ten Tips & Tricks for a 🌱 transition
Avatar for Manu Carrasco Molina stuffmc
0
88
Mozcon NYC 2025: Stop Losing SEO Traffic
Avatar for Sam Torres samtorres
0
180
Reality Check: Gamification 10 Years Later
Avatar for Sebastian Deterding codingconduct
0
2k
Connecting the Dots Between Site Speed, User Experience & Your Business [WebExpo 2025]
Avatar for Tammy Everts tammyeverts
11
860
It's Worth the Effort
Avatar for 3n 3n
188
29k
Java REST API Framework Comparison - PWX 2021
Avatar for Matt Raible mraible
34
9.2k
Getting science done with accelerated Python computing platforms
Avatar for Jacob Tomlinson jacobtomlinson
2
140
Beyond borders and beyond the search box: How to win the global "messy middle" with AI-driven SEO
Avatar for David Carrasco davidcarrasco
3
74
Taking LLMs out of the black box: A practical guide to human-in-the-loop distillation
Avatar for Ines Montani inesmontani
PRO
3
2.1k
Typedesign – Prime Four
Avatar for Hannes Fritz hannesfritz
42
3k

Transcript

  1. None
  2. None

  3. graphql { GraphQL GraphQL Architecture REST Vs GraphQL GraphQL Schema

    Introspection Query GraphQL Vulnerabilities Pentesting Tools GraphQL in Action !!! }
  4. None
  5. None
  6. None
  7. None
  8. None

  9. Ref: https://bit.ly/3hLZNO7

  10. Ref: https://bit.ly/3fBQSNk

  11. None
  12. None

  13. • Query – For Retrieving data/Results, similar to GET in

    REST. • Mutation – For Modifications Like POST/PUT/DELETE Operations. • Subscriptions – For Events/Realtime Updates. GraphQL Schema Subscriptions (Type) - EVENTS Mutations (Type) - WRITE Query (Type) - READ
  14. None
  15. None

  16. Change the POST request into GET Request. Append the payload

    on the Endpoint URL from below link https://pastebin.com/QyNaXVKg https://pastebin.com/dFdsTaDQ
  17. None

  18. SQL Injection NoSQL Injection Access Control Related Issues. Mass Assignment

    IDOR Bypassing 2FA/BruteForce Attacks. DOS Attacks etc.,
  19. None
  20. None
  21. None
  22. None
  23. None
  24. None
  25. None
  26. None
  27. None