This event has ended. Visit the official site or create your own event on Sched.
Back To Schedule
Saturday, October 12 • 3:30pm - 4:30pm
RT-2018 REST in Peace: Abusing GraphQL to Attack Underlying Infrastructure

Sign up or log in to save this to your schedule, view media, leave feedback and see who's attending!

Feedback form is now closed.

GraphQL is a query language for APIs set to replace RESTful architecture. The use of this technology has achieved rapid adoption and is now leveraged by companies such as GitHub, Credit Karma, and PayPal. Despite its popularity, this new approach to building APIs can leave organizations at risk. While it solves real-world problems, proper implementation is left up to developers who often don't fully understand how to secure their API. Security best practices are easily overlooked, and rushed development can leave cracks in the armor. These issues create a new attack surface for us to explore as well as new ways to exploit underlying infrastructure and code. From Queries and Mutations to Types and Fields, properly attacking a target requires that you understand it. We will learn enough about GraphQL to be dangerous. Demonstrate how to use the technology’s intricacies against itself while taking advantage of implementation errors and misconfigurations. Examine GraphQL specific attacks as well as tried and true techniques adapted to fit into the GraphQL context. Then walk through how to carry out these attacks efficiently and effectively.

avatar for Matt Szymanski

Matt Szymanski

OffSec Engineering Manager, n/a
Matt Szymanski is a Senior Security Engineer specializing in Offensive Application Security. Passionate about AppSec, he leverages over a decade of experience as a programmer to discover and help remediate vulnerabilities. He has developed and taught secure coding workshops, mentored... Read More →

Saturday October 12, 2019 3:30pm - 4:30pm CDT
TEXAS BALLROOM - E Track 3 600 E Market St, San Antonio, TX Floor 4