null Global Committee elections are coming up! See the election repository for more information.

Null offensive hacking hands-on training.

Proposed sessions for this event:

  • Understanding and querying GraphQL apps by Maulik Lakhani
  • GraphQL attacking methodology - Part 1 by Maulik Lakhani
  • GraphQL attacking methodology - Part 2 by Maulik Lakhani
  • Mitigating GraphQL vulnerabilities and secure coding best practices by Maulik Lakhani
Note: The session details including schedule are available below.

Attacking and Securing GraphQL Applications

Technicalities, Vulnerabilities, and Defense Strategies

Overview

This Null Humla session provides a detailed understanding of GraphQL vulnerabilities and teaches the skills needed to protect a GraphQL instance against common attacks.

Target Audience

  • Penetration Testers with web app and API security skills
  • Application Security Engineers
  • Developers building apps using GraphQL

This intermediate-level workshop is NOT suitable for beginners or GraphQL experts. The ideal attendees should have basic skills in:

  • Web application penetration testing
  • API penetration testing

Developers using GraphQL in their applications are also encouraged to join.

Agenda and Outcome

We will start by exploring the technical aspects of GraphQL, comparing it with traditional REST APIs, and highlighting its core functionalities. The session covers GraphQL security testing methodologies, including schema introspection, broken authorization, privilege escalation, and DoS attacks.

Participants will learn how to replace vulnerable code with secure alternatives, implement secure coding practices, limit query batching, and enhance overall security.

Prerequisites

Ensure the following tools are installed and pre-configured before the session:

  • Burp Suite Community or Professional and Postman Desktop
  • Docker Desktop or Rancher Desktop
  • Python IDE (e.g., PyCharm, Cursor)
  • Basic knowledge of Python Flask or FastAPI

Note: The Burp certificate should be installed in your trusted CA certs.

Date Sunday September 29 2024
Chapter Bangalore
Registrations 53
Max Registrations 60
Event Type Invite Only
Start Time 09:30 AM
End Time 04:30 PM

Session Schedule

Name Speaker Start Time End Time Resources
Understanding and querying GraphQL apps Maulik Lakhani 09:30 AM 11:30 AM
Break 11:30 AM 11:45 AM
GraphQL attacking methodology - Part 1 Maulik Lakhani 11:45 AM 12:30 PM
Lunch 12:30 PM 01:15 PM
GraphQL attacking methodology - Part 2 Maulik Lakhani 01:15 PM 03:00 PM
Break 03:00 PM 03:15 PM
Mitigating GraphQL vulnerabilities and secure coding best practices Maulik Lakhani 03:15 PM 04:30 PM

Venue


This is an invite only event. If you are selected you will receive further information via e-mail.