SlideShare a Scribd company logo

Github GraphQL Data Exposure

Shahriar Yazdipour
Shahriar Yazdipour

Github Data Exposure and Accessing Blocked Data using GraphQL Security Design Flaw

Engineering
1 of 29
Download to read offline
GITHUB DATA EXPOSURE AND ACCESSING BLOCKED DATA USING GRAPHQL SECURITY DESIGN FLAW  Research by ShahriarYazdipour  CCSE CONFERENCE 2020  Technische Universität Ilmenau  Feb 2020 1
AGENDA • BACKGROUND STORY • WHAT IS GRAPHQL • RESEARCH PROCESS • CONCLUSION 2
RESTRICTIONS IN IRAN 3 • GOV loves to make everything difficult • US also loves to make things harder
BLOCKED BY IRAN GOVERNMENT 4 Facebook YouTube Twitter Reddit Telegram Viber Tumblr Spotify SoundCloud Netflix Flickr WordPress BBC Voice of America Al-Arabiya Fox News CBS News Haaretz Times of India The Daily Mail … More than 300 site ofTop 500 https://gist.github.com/alibo/dfd7c258bcc44a0e8c9f7c5bfd3bd2c3
BLOCKED BY COMPANIES 5 Github Gitlab Google Cloud (KhanAcademy,…) Google/Android Developers Redhat Repositry DockerHub MySQL Unreal Engine Intel Download Center Udemy/Pluralsight eBay TeamViewer MongoDB Upwork Avast GNU Repositories … https://gist.github.com/alibo/dfd7c258bcc44a0e8c9f7c5bfd3bd2c3
6
US TRADE LAW • July 2019 • Restriction on creating new repository • No Access to previously created repositories Ref. https://techcrunch.com/2019/07/29/github-ban-sanctioned-countries/
FAST FORWARD • November 2019 • GitHub Launches on Mobile with iOS Application • Only Available for Beta Testers Ref https://winbuzzer.com/2019/11/14/github-launches-on-mobile-with-ios-application-xcxwbn/
NEW GITHUB APP  Get it from Apple TestFlight  First Publicly AvailableVersion - Build 45  Today – Build 81  Very Basic Features  Possible to see my blocked repository 🎉🎉🎉 9
10
PROXY 11https://www.jorgealdana.pro/blog/seguridad/burp-proxy-aplicacion-de-seguridad-para-desarrolladores-de-android/
12 PROCESS
GRAPHQL 13 is a new API standard that provides a more efficient, powerful and flexible alternative to REST services. It was developed and open-sourced by Facebook and is now maintained by a large community of companies and individuals from all over the world. http://graphql.org/
14https://blog.apollographql.com/how-do-i-graphql-2fcabfc94a01
GRAPHQL QUERIES 15 https://graphql.org/learn/queries/
GRAPHQL QUERIES 16 https://graphql.org/learn/queries/
17 https://nordicapis.com/10-graphql-consoles-in-action/
ANALYSIS TRAFFIC – REPOSITORY 18
ANALYSIS TRAFFIC – DIRECTORY 19
ANALYSIS TRAFFIC – DATA 20
ANALYSIS TRAFFIC – BINARY DATA 21
ANALYSIS TRAFFIC – BINARY DATA 22 • file() Method is not mentioned in Github GraphQL Documentation • Does not work with DeveloperToken!
ANALYSIS TRAFFIC – BINARY DATA 23
CAN IT BE GENERALIZED? MAKE A TOOL OUT OF IT?! 24
FAKE AUTH 25 • We have the "client_id" and "code“ by sniffing authentication process. • Easily get the client_secret
FAKE AUTH 26
CONCLUSION Access Repository Information Access Repository Directory Access Repository Files • Reported to Github SecurityTeam • Category: api.github.com • Severity: Low • Weakness: Improper Access Control CWE-284 27
REFERENCE 28 • Github Documentations • Burp-suite Documentations • Facebook GraphQl Documentations • Graphql Octokit Documentation • OWASP Security Handbook
THANKYOU. 29 ShahriarYazdipour github.com/yazdipour/presentations

Recommended

Learn the basics of git and github. A Complete github tutorial
Learn the basics of git and github. A Complete github tutorialLearn the basics of git and github. A Complete github tutorial
Learn the basics of git and github. A Complete github tutorial
paradisetechsoftsolutions
 
GitHubをエンジニア以外にも使ってもらうには
GitHubをエンジニア以外にも使ってもらうにはGitHubをエンジニア以外にも使ってもらうには
GitHubをエンジニア以外にも使ってもらうには
tkr1212st
 
Bootiful Development with Spring Boot and Vue - Devnexus 2019
Bootiful Development with Spring Boot and Vue - Devnexus 2019Bootiful Development with Spring Boot and Vue - Devnexus 2019
Bootiful Development with Spring Boot and Vue - Devnexus 2019
Matt Raible
 
Andrew's geo media evolution
Andrew's geo media evolutionAndrew's geo media evolution
Andrew's geo media evolution
Andrew Zolnai
 
Advanced Information Gathering AKA Google Hacking
Advanced Information Gathering AKA Google HackingAdvanced Information Gathering AKA Google Hacking
Advanced Information Gathering AKA Google Hacking
Gareth Davies
 
Call to code ai aug 23rd
Call to code ai aug 23rdCall to code ai aug 23rd
Call to code ai aug 23rd
Tuhin Mahmud
 
Demystifying Cyber Threat Intelligence -Debraj Dey Null_OWASP kolkata .pptx
Demystifying Cyber Threat Intelligence -Debraj Dey Null_OWASP kolkata .pptxDemystifying Cyber Threat Intelligence -Debraj Dey Null_OWASP kolkata .pptx
Demystifying Cyber Threat Intelligence -Debraj Dey Null_OWASP kolkata .pptx
null - The Open Security Community
 
How to dive into GCP
How to dive into GCPHow to dive into GCP
How to dive into GCP
龍一郎 北野
 

Recommended

Learn the basics of git and github. A Complete github tutorial
Learn the basics of git and github. A Complete github tutorialLearn the basics of git and github. A Complete github tutorial
Learn the basics of git and github. A Complete github tutorial
paradisetechsoftsolutions
 
GitHubをエンジニア以外にも使ってもらうには
GitHubをエンジニア以外にも使ってもらうにはGitHubをエンジニア以外にも使ってもらうには
GitHubをエンジニア以外にも使ってもらうには
tkr1212st
 
Bootiful Development with Spring Boot and Vue - Devnexus 2019
Bootiful Development with Spring Boot and Vue - Devnexus 2019Bootiful Development with Spring Boot and Vue - Devnexus 2019
Bootiful Development with Spring Boot and Vue - Devnexus 2019
Matt Raible
 
Andrew's geo media evolution
Andrew's geo media evolutionAndrew's geo media evolution
Andrew's geo media evolution
Andrew Zolnai
 
Advanced Information Gathering AKA Google Hacking
Advanced Information Gathering AKA Google HackingAdvanced Information Gathering AKA Google Hacking
Advanced Information Gathering AKA Google Hacking
Gareth Davies
 
Call to code ai aug 23rd
Call to code ai aug 23rdCall to code ai aug 23rd
Call to code ai aug 23rd
Tuhin Mahmud
 
Demystifying Cyber Threat Intelligence -Debraj Dey Null_OWASP kolkata .pptx
Demystifying Cyber Threat Intelligence -Debraj Dey Null_OWASP kolkata .pptxDemystifying Cyber Threat Intelligence -Debraj Dey Null_OWASP kolkata .pptx
Demystifying Cyber Threat Intelligence -Debraj Dey Null_OWASP kolkata .pptx
null - The Open Security Community
 
How to dive into GCP
How to dive into GCPHow to dive into GCP
How to dive into GCP
龍一郎 北野
 
curl - a hobby project that conquered the world
curl - a hobby project that conquered the worldcurl - a hobby project that conquered the world
curl - a hobby project that conquered the world
Daniel Stenberg
 
My Trip to Google I/O 2013
My Trip to Google I/O 2013My Trip to Google I/O 2013
My Trip to Google I/O 2013
David Wu
 
5G and 100 years
5G and 100 years5G and 100 years
5G and 100 years
GLK
 
An indepth look at Google BigQuery Architecture by Felipe Hoffa of Google
An indepth look at Google BigQuery Architecture by Felipe Hoffa of GoogleAn indepth look at Google BigQuery Architecture by Felipe Hoffa of Google
An indepth look at Google BigQuery Architecture by Felipe Hoffa of Google
Data Con LA
 
Xanadu for Big Data + IoT + Deep Learning + Cloud Integration Strategy (YouTu...
Xanadu for Big Data + IoT + Deep Learning + Cloud Integration Strategy (YouTu...Xanadu for Big Data + IoT + Deep Learning + Cloud Integration Strategy (YouTu...
Xanadu for Big Data + IoT + Deep Learning + Cloud Integration Strategy (YouTu...
Alex G. Lee, Ph.D. Esq. CLP
 
20150423 Android Taipei : 祖克伯F8的奇幻之旅
20150423 Android Taipei : 祖克伯F8的奇幻之旅20150423 Android Taipei : 祖克伯F8的奇幻之旅
20150423 Android Taipei : 祖克伯F8的奇幻之旅
PRADA Hsiung
 
L&D : Looking to the future
L&D : Looking to the futureL&D : Looking to the future
L&D : Looking to the future
Mike Collins
 
2022 APIsecure_Securing API Tokens on Github
2022 APIsecure_Securing API Tokens on Github2022 APIsecure_Securing API Tokens on Github
2022 APIsecure_Securing API Tokens on Github
APIsecure_ Official
 
Mobile DevOps pipeline using Google Flutter
Mobile DevOps pipeline using Google FlutterMobile DevOps pipeline using Google Flutter
Mobile DevOps pipeline using Google Flutter
Ahmed Abu Eldahab
 
APIs in production - we built it, can we fix it?
APIs in production - we built it, can we fix it?APIs in production - we built it, can we fix it?
APIs in production - we built it, can we fix it?
Martin Gutenbrunner
 
Drools and jBPM 6 Overview
Drools and jBPM 6 OverviewDrools and jBPM 6 Overview
Drools and jBPM 6 Overview
Mark Proctor
 
From Java Monoliths to K8s
From Java Monoliths to K8sFrom Java Monoliths to K8s
From Java Monoliths to K8s
VMware Tanzu
 
From Monolith to K8s - Spring One 2020
From Monolith to K8s - Spring One 2020From Monolith to K8s - Spring One 2020
From Monolith to K8s - Spring One 2020
Mauricio (Salaboy) Salatino
 
Google deployment manager
Google deployment managerGoogle deployment manager
Google deployment manager
Luillyfe Blanco
 
Android Things Latest News / Aug 25, 2017
Android Things Latest News / Aug 25, 2017Android Things Latest News / Aug 25, 2017
Android Things Latest News / Aug 25, 2017
Masahiro Hidaka
 
Wi-Fi Hotspot Attacks
Wi-Fi Hotspot AttacksWi-Fi Hotspot Attacks
Wi-Fi Hotspot Attacks
Greg Foss
 
Immersed in the Web
Immersed in the WebImmersed in the Web
Immersed in the Web
Luis Diego González-Zúñiga, PhD
 
Internet of Things (IoT) - in the cloud or rather on-premises?
Internet of Things (IoT) - in the cloud or rather on-premises?Internet of Things (IoT) - in the cloud or rather on-premises?
Internet of Things (IoT) - in the cloud or rather on-premises?
Guido Schmutz
 
Iot cloud-or-onprem-170709204236
Iot cloud-or-onprem-170709204236Iot cloud-or-onprem-170709204236
Iot cloud-or-onprem-170709204236
Aravindharamanan S
 
Critical Breakthroughs and Challenges in Big Data and Analytics
Critical Breakthroughs and Challenges in Big Data and AnalyticsCritical Breakthroughs and Challenges in Big Data and Analytics
Critical Breakthroughs and Challenges in Big Data and Analytics
Data Driven Innovation
 
Engineering Drawing focus on projection of planes
Engineering Drawing focus on projection of planesEngineering Drawing focus on projection of planes
Engineering Drawing focus on projection of planes
RAJNEESHKUMAR341697
 
Introduction to Serverless with AWS Lambda
Introduction to Serverless with AWS LambdaIntroduction to Serverless with AWS Lambda
Introduction to Serverless with AWS Lambda
Omar Fathy
 

More Related Content

Similar to Github GraphQL Data Exposure

An indepth look at Google BigQuery Architecture by Felipe Hoffa of Google
An indepth look at Google BigQuery Architecture by Felipe Hoffa of GoogleAn indepth look at Google BigQuery Architecture by Felipe Hoffa of Google
An indepth look at Google BigQuery Architecture by Felipe Hoffa of Google
Data Con LA
 
Xanadu for Big Data + IoT + Deep Learning + Cloud Integration Strategy (YouTu...
Xanadu for Big Data + IoT + Deep Learning + Cloud Integration Strategy (YouTu...Xanadu for Big Data + IoT + Deep Learning + Cloud Integration Strategy (YouTu...
Xanadu for Big Data + IoT + Deep Learning + Cloud Integration Strategy (YouTu...
Alex G. Lee, Ph.D. Esq. CLP
 

Similar to Github GraphQL Data Exposure (20)

curl - a hobby project that conquered the world
curl - a hobby project that conquered the worldcurl - a hobby project that conquered the world
curl - a hobby project that conquered the world
 
My Trip to Google I/O 2013
My Trip to Google I/O 2013My Trip to Google I/O 2013
My Trip to Google I/O 2013
 
5G and 100 years
5G and 100 years5G and 100 years
5G and 100 years
 
An indepth look at Google BigQuery Architecture by Felipe Hoffa of Google
An indepth look at Google BigQuery Architecture by Felipe Hoffa of GoogleAn indepth look at Google BigQuery Architecture by Felipe Hoffa of Google
An indepth look at Google BigQuery Architecture by Felipe Hoffa of Google
 
Xanadu for Big Data + IoT + Deep Learning + Cloud Integration Strategy (YouTu...
Xanadu for Big Data + IoT + Deep Learning + Cloud Integration Strategy (YouTu...Xanadu for Big Data + IoT + Deep Learning + Cloud Integration Strategy (YouTu...
Xanadu for Big Data + IoT + Deep Learning + Cloud Integration Strategy (YouTu...
 
20150423 Android Taipei : 祖克伯F8的奇幻之旅
20150423 Android Taipei : 祖克伯F8的奇幻之旅20150423 Android Taipei : 祖克伯F8的奇幻之旅
20150423 Android Taipei : 祖克伯F8的奇幻之旅
 
L&D : Looking to the future
L&D : Looking to the futureL&D : Looking to the future
L&D : Looking to the future
 
2022 APIsecure_Securing API Tokens on Github
2022 APIsecure_Securing API Tokens on Github2022 APIsecure_Securing API Tokens on Github
2022 APIsecure_Securing API Tokens on Github
 
Mobile DevOps pipeline using Google Flutter
Mobile DevOps pipeline using Google FlutterMobile DevOps pipeline using Google Flutter
Mobile DevOps pipeline using Google Flutter
 
APIs in production - we built it, can we fix it?
APIs in production - we built it, can we fix it?APIs in production - we built it, can we fix it?
APIs in production - we built it, can we fix it?
 
Drools and jBPM 6 Overview
Drools and jBPM 6 OverviewDrools and jBPM 6 Overview
Drools and jBPM 6 Overview
 
From Java Monoliths to K8s
From Java Monoliths to K8sFrom Java Monoliths to K8s
From Java Monoliths to K8s
 
From Monolith to K8s - Spring One 2020
From Monolith to K8s - Spring One 2020From Monolith to K8s - Spring One 2020
From Monolith to K8s - Spring One 2020
 
Google deployment manager
Google deployment managerGoogle deployment manager
Google deployment manager
 
Android Things Latest News / Aug 25, 2017
Android Things Latest News / Aug 25, 2017Android Things Latest News / Aug 25, 2017
Android Things Latest News / Aug 25, 2017
 
Wi-Fi Hotspot Attacks
Wi-Fi Hotspot AttacksWi-Fi Hotspot Attacks
Wi-Fi Hotspot Attacks
 
Immersed in the Web
Immersed in the WebImmersed in the Web
Immersed in the Web
 
Internet of Things (IoT) - in the cloud or rather on-premises?
Internet of Things (IoT) - in the cloud or rather on-premises?Internet of Things (IoT) - in the cloud or rather on-premises?
Internet of Things (IoT) - in the cloud or rather on-premises?
 
Iot cloud-or-onprem-170709204236
Iot cloud-or-onprem-170709204236Iot cloud-or-onprem-170709204236
Iot cloud-or-onprem-170709204236
 
Critical Breakthroughs and Challenges in Big Data and Analytics
Critical Breakthroughs and Challenges in Big Data and AnalyticsCritical Breakthroughs and Challenges in Big Data and Analytics
Critical Breakthroughs and Challenges in Big Data and Analytics
 

Recently uploaded

Online food ordering system project report.pdf
Online food ordering system project report.pdfOnline food ordering system project report.pdf
Online food ordering system project report.pdf
Kamal Acharya
 
Integrated Test Rig For HTFE-25 - Neometrix
Integrated Test Rig For HTFE-25 - NeometrixIntegrated Test Rig For HTFE-25 - Neometrix
Integrated Test Rig For HTFE-25 - Neometrix
Neometrix_Engineering_Pvt_Ltd
 

Recently uploaded (20)

Engineering Drawing focus on projection of planes
Engineering Drawing focus on projection of planesEngineering Drawing focus on projection of planes
Engineering Drawing focus on projection of planes
 
Introduction to Serverless with AWS Lambda
Introduction to Serverless with AWS LambdaIntroduction to Serverless with AWS Lambda
Introduction to Serverless with AWS Lambda
 
HOA1&2 - Module 3 - PREHISTORCI ARCHITECTURE OF KERALA.pptx
HOA1&2 - Module 3 - PREHISTORCI ARCHITECTURE OF KERALA.pptxHOA1&2 - Module 3 - PREHISTORCI ARCHITECTURE OF KERALA.pptx
HOA1&2 - Module 3 - PREHISTORCI ARCHITECTURE OF KERALA.pptx
 
Tamil Call Girls Bhayandar WhatsApp +91-9930687706, Best Service
Tamil Call Girls Bhayandar WhatsApp +91-9930687706, Best ServiceTamil Call Girls Bhayandar WhatsApp +91-9930687706, Best Service
Tamil Call Girls Bhayandar WhatsApp +91-9930687706, Best Service
 
Design For Accessibility: Getting it right from the start
Design For Accessibility: Getting it right from the startDesign For Accessibility: Getting it right from the start
Design For Accessibility: Getting it right from the start
 
Online electricity billing project report..pdf
Online electricity billing project report..pdfOnline electricity billing project report..pdf
Online electricity billing project report..pdf
 
Block diagram reduction techniques in control systems.ppt
Block diagram reduction techniques in control systems.pptBlock diagram reduction techniques in control systems.ppt
Block diagram reduction techniques in control systems.ppt
 
Unit 4_Part 1 CSE2001 Exception Handling and Function Template and Class Temp...
Unit 4_Part 1 CSE2001 Exception Handling and Function Template and Class Temp...Unit 4_Part 1 CSE2001 Exception Handling and Function Template and Class Temp...
Unit 4_Part 1 CSE2001 Exception Handling and Function Template and Class Temp...
 
DC MACHINE-Motoring and generation, Armature circuit equation
DC MACHINE-Motoring and generation, Armature circuit equationDC MACHINE-Motoring and generation, Armature circuit equation
DC MACHINE-Motoring and generation, Armature circuit equation
 
Work-Permit-Receiver-in-Saudi-Aramco.pptx
Work-Permit-Receiver-in-Saudi-Aramco.pptxWork-Permit-Receiver-in-Saudi-Aramco.pptx
Work-Permit-Receiver-in-Saudi-Aramco.pptx
 
Online food ordering system project report.pdf
Online food ordering system project report.pdfOnline food ordering system project report.pdf
Online food ordering system project report.pdf
 
data_management_and _data_science_cheat_sheet.pdf
data_management_and _data_science_cheat_sheet.pdfdata_management_and _data_science_cheat_sheet.pdf
data_management_and _data_science_cheat_sheet.pdf
 
PE 459 LECTURE 2- natural gas basic concepts and properties
PE 459 LECTURE 2- natural gas basic concepts and propertiesPE 459 LECTURE 2- natural gas basic concepts and properties
PE 459 LECTURE 2- natural gas basic concepts and properties
 
Employee leave management system project.
Employee leave management system project.Employee leave management system project.
Employee leave management system project.
 
Integrated Test Rig For HTFE-25 - Neometrix
Integrated Test Rig For HTFE-25 - NeometrixIntegrated Test Rig For HTFE-25 - Neometrix
Integrated Test Rig For HTFE-25 - Neometrix
 
Unleashing the Power of the SORA AI lastest leap
Unleashing the Power of the SORA AI lastest leapUnleashing the Power of the SORA AI lastest leap
Unleashing the Power of the SORA AI lastest leap
 
Thermal Engineering-R & A / C - unit - V
Thermal Engineering-R & A / C - unit - VThermal Engineering-R & A / C - unit - V
Thermal Engineering-R & A / C - unit - V
 
FEA Based Level 3 Assessment of Deformed Tanks with Fluid Induced Loads
FEA Based Level 3 Assessment of Deformed Tanks with Fluid Induced LoadsFEA Based Level 3 Assessment of Deformed Tanks with Fluid Induced Loads
FEA Based Level 3 Assessment of Deformed Tanks with Fluid Induced Loads
 
Thermal Engineering Unit - I & II . ppt
Thermal Engineering Unit - I & II . pptThermal Engineering Unit - I & II . ppt
Thermal Engineering Unit - I & II . ppt
 
Double Revolving field theory-how the rotor develops torque
Double Revolving field theory-how the rotor develops torqueDouble Revolving field theory-how the rotor develops torque
Double Revolving field theory-how the rotor develops torque
 

Github GraphQL Data Exposure