Автор: Nick Aleks, Dolev Farhi
Издательство: No Starch Press
Год: 2023
Страниц: 436
Язык: английский
Формат: epub (true), mobi
Размер: 14.8 MB
Written by hackers for hackers, this hands-on book teaches penetration testers how to identify vulnerabilities in apps that use GraphQL, a data query and manipulation language for APIs adopted by major companies like Facebook and GitHub.
Black Hat GraphQL is for anyone interested in learning how to break and protect GraphQL APIs with the aid of offensive security testing. Whether you’re a penetration tester, security analyst, or software engineer, you’ll learn how to attack GraphQL APIs, develop hardening procedures, build automated security testing into your development pipeline, and validate controls, all with no prior exposure to GraphQL required.
Following an introduction to core concepts, you’ll build your lab, explore the difference between GraphQL and REST APIs, run your first query, and learn how to create custom queries.
Today, building software and systems is a lot like assembling an IKEA kitchen—on your front lawn. People are taking parsers, utilities, and other components originally intended for use with trusted data by a person on their own command line, and exposing them to the internet. With each new query language and interpreter/parser combination (GraphQL being one of the more recent), the old becomes new again.
Vulnerability classes like denial of service (DoS), injection, information disclosure, and authentication/authorization bypasses have persisted in pretty much every data format and language parsed with regular expressions over the course of my career. Some of this is because inherent weaknesses exist in the underlying technology that aren’t well understood by developers of new languages. But it’s more than a technology problem that makes these classes of vulnerabilities hard to solve. It’s an ecosystem problem.
If you’re reading this book to better understand GraphQL (or skimming it in the mad rush to prepare for your next assignment), you’ll find it to be a great briefing created by two people who have had to do their own fair share of hacking and who know the information you’ll need. This includes a useful checklist of issues to look out for, insight into a bunch of little gotchas, and GraphQL-specific quirks and subtleties that would otherwise take you a lot of time and research to uncover.
A relatively new technology, the GraphQL query language has shifted the API paradigm, appealing to many companies looking to optimize performance, scale, and ease of use. However, fully understanding this query language’s security implications takes time. Our collaboration has unlocked a vast number of novel insights about GraphQL and its ecosystem. In fact, many of the vulnerabilities and exploits referenced in this book have never before been published.
You’ll also learn how to:
Use data collection and target mapping to learn about targets
Defend APIs against denial-of-service attacks and exploit insecure configurations in GraphQL servers to gather information on hardened targets
Impersonate users and take admin-level actions on a remote server
Uncover injection-based vulnerabilities in servers, databases, and client browsers
Exploit cross-site and server-side request forgery vulnerabilities, as well as cross-site WebSocket hijacking, to force a server to request sensitive information on your behalf
Dissect vulnerability disclosure reports and review exploit code to reveal how vulnerabilities have impacted large companies
This comprehensive resource provides everything you need to defend GraphQL APIs and build secure applications. Think of it as your umbrella in a lightning storm.
Скачать Black Hat GraphQL: Attacking Next Generation APIs