Muutke küpsiste eelistusi

Black Hat GraphQL: Attacking Next Generation APIs [Pehme köide]

3.75/5 (31 hinnangut Goodreads-ist)
,
  • Formaat: Paperback / softback, 320 pages, kõrgus x laius: 234x177 mm
  • Ilmumisaeg: 23-May-2023
  • Kirjastus: No Starch Press,US
  • ISBN-10: 1718502842
  • ISBN-13: 9781718502840
Teised raamatud teemal:
Black Hat GraphQL: Attacking Next Generation APIsSuurem pilt
  • Formaat: Paperback / softback, 320 pages, kõrgus x laius: 234x177 mm
  • Ilmumisaeg: 23-May-2023
  • Kirjastus: No Starch Press,US
  • ISBN-10: 1718502842
  • ISBN-13: 9781718502840
Teised raamatud teemal:
Püsilink: https://www.kriso.ee/db/9781718502840.html
Märksõnad:
Written by hackers for hackers, this hands-on book teaches penetration testers how to identify vulnerabilities in apps that use GraphQL, a data query and manipulation language for APIs adopted by major companies like Facebook and GitHub.

Web applications are increasingly using the query language GraphQL to share data, but the security of these useful APIs is lagging behind. Authored by the developers of widely used GraphQL security-testing tools, Black Hat GraphQL will teach you how to find and exploit flaws in this technology.

Early chapters provide in-depth knowledge of GraphQL and its query language, as well as its potential security pitfalls. Readers will then be guided through setting up a hacking lab for targeting GraphQL applications using specialized GraphQL security tools. They will learn how to conduct offensive security tests against production GraphQL systems by gleaning information from GraphQL implementations during reconnaissance and probing them for vulnerabilities, like injections, information disclosure, and Denial of Service.

Arvustused

"Black Hat GraphQL is the best resource for anyone looking to test GraphQL for vulnerabilities. Not only did Aleks and Farhi write the book, but they also created the vulnerable application used in the books labs and created a suite of tools specially designed for analyzing weaknesses within GraphQL APIs. This is a must-read book for those in API security." Corey Ball, author of Hacking APIs   "This book brought me from zero to incredibly dangerous in ten chapters. The authors break down complex topics, making them easy to understand, as well as outlining pros and cons of each feature, tool, and tactic. The book also has quite a bit of foreshadowing, mentioning how certain parts of GraphQL work, and how they will be exploited later. The authors share not only several hands-on labs, but several tools they created themselves and open-sourced for all to use. If you are going to be PenTesting GraphQL systems, or are charged with protecting such a system, this book is a must-have." Tanya Janca, founder of We Hack Purple   With the increasing number of web platforms built on top of GraphQL, this book is an essential resource for all security practitioners. By covering both the basics and advanced topics, Nick and Dolev have created the ultimate guide to hacking GraphQL. Luca Carettoni, Doyensec   "Knowing how to secure GraphQL is often the first question most users have after they have that "ah ha!" moment about how cool it is. While Apollo and others have written a lot of great documentation on best security practices, Black Hat GraphQL is the most comprehensive look from the other side. This is not just a book for red teamers or penetration testers. Any GraphQL developer will learn a lot here." Tad Whitaker, Apollo GraphQL   "I study my way up in cybersecurity, in part, through books. While many of the books I use don't actually bring something new to the table, Black Hat GraphQL is definitely an exception. My copy, believe it or not, is oversaturated with highlights. And that probably says it all."  Cristi Vlad, @CristiVlad25, cybersecurity researcher

Foreword xv
Acknowledgments xix
Introduction xxi
Who This Book Is For xxii
The Book's Lab and Code Repository xxii
What's in This Book xxii
1 A Primer On Graphql
1(20)
The Basics
1(2)
Origins
2(1)
Use Cases
2(1)
Specification
3(1)
How Do Communications Work?
3(5)
The Schema
4(2)
Queries
6(1)
The Query Parser and Resolver Functions
7(1)
What Problems Does GraphQL Solve?
8(1)
GraphQL APIs vs. REST APIs
9(8)
The REST Example
10(2)
The GraphQL Example
12(3)
Other Differences
15(2)
Your First Query
17(3)
Summary
20(1)
2 Setting Up A Graphql Security Lab
21(20)
Taking Security Precautions
22(1)
Installing Kali
23(1)
Installing Web Clients
24(4)
Querying from the Command Line with cURL
25(1)
Querying from a GUI with Altair
25(3)
Setting Up a Vulnerable GraphQL Server
28(3)
Installing Docker
28(1)
Deploying the Damn Vulnerable GraphQL Application
29(2)
Testing DVGA
31(1)
Installing GraphQL Hacking Tools
31(9)
Burp Suite
32(1)
Clairvoyance
33(1)
InQL
34(1)
GraphwOOf
35(1)
BatchQL
36(1)
Nmap
37(1)
Commix
37(1)
graphql-path-enum
38(1)
EyeWitness
39(1)
GraphQL Cop
39(1)
CrackQL
40(1)
Summary
40(1)
3 The Graphql Attack Surface
41(30)
What Is an Attack Surface?
41(1)
The Language
42(14)
Queries, Mutations, and Subscriptions
43(3)
Operation Names
46(1)
Fields
47(1)
Arguments
48(2)
Aliases
50(2)
Fragments
52(1)
Variables
53(1)
Directives
54(2)
Data Types
56(7)
Objects
57(1)
Scalars
58(1)
Enums
58(2)
Unions
60(1)
Interfaces
61(1)
Inputs
62(1)
Introspection
63(3)
Validation and Execution
66(1)
Common Weaknesses
67(3)
Specification Rule and Implementation Weaknesses
67(2)
Denial of Service
69(1)
Information Disclosure
69(1)
Authentication and Authorization Flaws
69(1)
Injections
70(1)
Summary
70(1)
4 Reconnaissance
71(30)
Detecting GraphQL
72(9)
Common Endpoints
73(1)
Common Responses
74(2)
Nmap Scans
76(2)
The_typename Field
78(2)
GraphwOOf
80(1)
Detecting GraphiQL Explorer and GraphQL Playground
81(6)
Scanning for Graphical Interfaces with EyeWitness
82(2)
Attempting a Query Using Graphical Clients
84(3)
Querying GraphQL by Using Introspection
87(7)
Visualizing Introspection with GraphQL Voyager
92(1)
Generating Introspection Documentation with SpectaQL
93(1)
Exploring Disabled Introspection
93(1)
Fingerprinting GraphQL
94(5)
Detecting Servers with GraphwOOf
97(1)
Analyzing Results
98(1)
Summary
99(2)
5 Denial Of Service
101(38)
GraphQL DoS Vectors
102(1)
Circular Queries
102(11)
Circular Relationships in GraphQL Schemas
103(2)
How to Identify Circular Relationships
105(4)
Circular Query Vulnerabilities
109(1)
Circular Introspection Vulnerabilities
110(1)
Circular Fragment Vulnerabilities
111(2)
Field Duplication
113(3)
Understanding How Field Duplication Works
113(1)
Testing for Field Duplication Vulnerabilities
114(2)
Alias Overloading
116(3)
Abusing Aliases for Denial of Service
117(1)
Chaining Aliases and Circular Queries
118(1)
Directive Overloading
119(2)
Abusing Directives for Denial of Service
119(1)
Testing for Directive Overloading
120(1)
Object Limit Overridi ng
121(1)
Array-Based Query Batching
122(5)
Understanding How Array-Based Query Batching Works
122(1)
Testing for Array-Based Query Batching
123(1)
Chaining Circular Queries and Array-Based Query Batching
124(2)
Detecting Query Batching by Using BatchQL
126(1)
Performing a DoS Audit with GraphQL Cop
127(1)
Denial-of-Service Defenses in GraphQL
128(9)
Query Cost Analysis
128(3)
Query Depth Limits
131(1)
Alias and Array-Based Batching Limits
132(1)
Field Duplication Limits
132(1)
Limits on the Number of Returned Records
133(1)
Query Allow Lists
133(1)
Automatic Persisted Queries
134(1)
Timeouts
135(1)
Web Application Firewalls
136(1)
Gateway Proxies
136(1)
Summary
137(2)
6 Information Disclosure
139(24)
Identifying Information Disclosure Vectors in GraphQL
140(1)
Automating Schema Extraction with InQL
140(2)
Overcoming Disabled Introspection
142(3)
Detecting Disabled Introspection
142(1)
Exploiting Non-production Environments
142(1)
Exploiting the_type Meta-field
143(2)
Using Field Suggestions
145(4)
Understanding the Edit-Distance Algorithm
146(1)
Optimizing Field Suggestion Use
146(2)
Considering Security Developments
148(1)
Using Field Stuffing
149(1)
Type Stuffing in the_type Meta-field
150(2)
Automating Field Suggestion and Stuffing Using Clairvoyance
152(2)
Abusing Error Messages
154(6)
Exploring Excessive Error Messaging
156(1)
Enabling Debugging
157(1)
Inferring Information from Stack Traces
158(2)
Leaking Data by Using GET-Based Queries
160(1)
Summary
160(3)
7 Authentication And Authorization Bypasses
163(24)
The State of Authentication and Authorization in GraphQL
164(7)
In-Band vs. Out-of-Band
164(1)
Common Approaches
165(6)
Authentication Testing
171(9)
Detecting the Authentication Layer
172(1)
Brute-Forcing Passwords by Using Query Batching
173(3)
Brute-Forcing Passwords with CrackQL
176(1)
Using Allow-Listed Operation Names
177(1)
Forging and Leaking JWT Credentials
178(2)
Authorization Testi ng
180(5)
Detecting the Authorization Layer
181(1)
Enumerating Paths with graphql-path-enum
182(1)
Brute-Forcing Arguments and Fields with CrackQL
183(2)
Summary
185(2)
8 Injection
187(34)
Injection Vulnerabilities in GraphQL
188(2)
The Blast Radius of Malicious Input
188(1)
TheOWASPTop 10
189(1)
The Injection Surface
190(5)
Query Arguments
191(2)
Field Arguments
193(1)
Query Directive Arguments
193(1)
Operation Names
194(1)
Input Entry Points
195(1)
SQL Injection
196(9)
Understanding the Types of SQL Injection
196(1)
Testing for SQLi
197(1)
Testing DVGA for SQLi with Burp Suite
197(6)
Automating SQL Injection
203(2)
Operating System Command Injection
205(6)
An Example
206(1)
Manual Testing in DVGA
207(1)
Automated Testing with Commix
208(2)
Code Review of a Resolver Function
210(1)
Cross-Site Scripting
211(8)
Reflected XSS
211(2)
Stored XSS
213(1)
DOM-Based XSS
214(1)
Testing for XSS in DVGA
214(5)
Summary
219(2)
9 Request Forgery And Hijacking
221(26)
Cross-Site Request Forgery
222(12)
Locating State-Changing Actions
223(2)
Testing for POST-Based Vulnerabilities
225(2)
Automatically Submitting a CSRF Form
227(1)
Testing for GET-Based Vulnerabilities
228(2)
Using HTML Injection
230(2)
Automating Testing with BatchQL and GraphQL Cop
232(1)
Preventing CSRF
232(2)
Server-Side Request Forgery
234(6)
Understanding the Types of SSRF
235(1)
Searching for Vulnerable Operations, Fields, and Arguments
236(1)
Testing for SSRF
236(4)
Preventing SSRF
240(1)
Cross-Site WebSocket Hijacking
240(5)
Finding Subscription Operations
241(1)
Hijacking a Subscription Query
241(3)
Preventing CSWSH
244(1)
Summary
245(2)
10 Disclosed Vulnerabilities And Exploits
247(22)
Denial of Service
248(8)
A Large Payload (HackerOne)
248(1)
Regular Expressions (CS Money)
249(2)
A Circular Introspection Query (GitLab)
251(1)
Aliases for Field Duplication (Magento)
252(1)
Array-Based Batching for Field Duplication (WPGraphQL)
253(2)
Circular Fragments (Agoo)
255(1)
Broken Authorization
256(5)
Allowing Data Access to Deactivated Users (GitLab)
256(1)
Allowing an Unprivileged Staff Member to Modify a Customer's Email (Shopify)
257(1)
Disclosing the Number of Allowed Hackers Through a Team Object (HackerOne)
258(1)
Reading Private Notes (GitLab)
259(1)
Disclosing Payment Transaction Information (HackerOne)
260(1)
Information Disclosure
261(1)
Enumerating GraphQL Users (GitLab)
261(1)
Accessing the Introspection Query via WebSocket (Nuri)
262(1)
Injection
262(5)
SQL Injection in a GET Query Parameter (HackerOne)
262(2)
SQL Injection in an Object Argument (Apache SkyWalking)
264(1)
Cross-Site Scripting (GraphQL Playground)
265(2)
Cross-Site Request Forgery (GitLab)
267(1)
Summary
268(1)
A Graphql Api Testing Checklist
269(4)
Reconnaissance
269(1)
Denial of Service
270(1)
Information Disclosure
270(1)
Authentication and Authorization
270(1)
Injection
271(1)
Forging Requests
271(1)
Hijacking Requests
271(2)
B Graphql Security Resources
273(2)
Penetration Testing Tips and Tricks
273(1)
Hands-on Hacking Labs
274(1)
Security Videos
274(1)
Index 275
Dolev Farhi is a security engineer and author of Black Hat Bash (No Starch Press, forthcoming in 2025). He has extensive experience leading security engineering teams in the Fintech and cybersecurity industries and is currently a distinguished security engineer at Palo Alto Networks, where he builds defenses for the largest cybersecurity company in the world. He has provided training for official Linux certification tracks and, in his spare time, enjoys researching vulnerabilities in IoT devices and building open source offensive security tools.



Nick Aleks is a leader in Toronto's cybersecurity community and a distinguished and patented security engineer, speaker, and researcher. He is currently the Senior Director of Security at Wealthsimple, leads his own security firm, ASEC.IO, and is a Senior Advisory Board member for HackStudent, George Brown, and the University of Guelphs Master of Cybersecurity and Threat Intelligence programs. A founder of DEFCON Toronto, he specializes in offensive security and penetration testing and has over 10 years of experience hacking everything from websites, safes, locks, cars, drones, and even smart buildings.