SlideShare a Scribd company logo

APIsecure 2023 - Discovering GraphQL Vulnerabilities in the Wild, Tristan Kalos & Antoine Carossio, Escape

apidays
apidays

APIsecure 2023 - The world's first and only API security conference March 14 & 15, 2023 Escape Workshop: "Discovering GraphQL Vulnerabilities in the Wild" Tristan Kalos, Co-founder & CEO at Escape Antoine Carossio, Co-founder & CTO at Escape ------ Check out our conferences at https://www.apidays.global/ Do you want to sponsor or talk at one of our conferences? https://apidays.typeform.com/to/ILJeAaV8 Learn more on APIscene, the global media made by the community for the community: https://www.apiscene.io Explore the API ecosystem with the API Landscape: https://apilandscape.apiscene.io/

Internet
1 of 53
Download to read offline
Live GraphQL Security Testing escape.tech Discovering GraphQL Vulnerabilities in the Wild
Who Am I Tristan Kalos Co-founder & CEO @ Escape – GraphQL Security 󰏃 + 󰎆󰑔󰎼 󰞼 Engineer in Operations Research & 󰛻 MBA 󰳕 Researcher in Machine Learning Applied to Source Code 🛠 Loved GraphQL but struggled to secure it ✉ tristan@escape.tech @tristankalos
About Escape - GraphQL Security We created the first fully-featured automated GraphQL Security Testing tool & have an in-house research team on the topic. https://app.escape.tech/
What is GraphQL?
GraphQL is a query language for APIs
The anatomy of a GraphQL request Operations Fields Directives Parameters Aliases Batches Fragments Query Depth Query Width
Why is GraphQL vulnerable? 1 - GraphQL is a full-featured language, leaving more space for malicious requests
Why is GraphQL Vulnerable? 2 - GraphQL is a graph, prone to access control problems
Discovering GraphQL Vulnerabilities in the Wild
1. Finding GraphQL endpoints in the internet 2. Testing endpoints for advanced security flaws 3. Our results
How to find public GraphQL endpoints on the internet? Step 1: buy a cheap list of domains
How to find public GraphQL endpoints on the internet? Step 2: use our open source GraphQL endpoint finder https://github.com/Escape-Technologies/goctopus
How to find public GraphQL endpoints on the internet? But…. We have 1.2M domains. It’s too slow. https://github.com/Escape-Technologies/graphinder
How to find public GraphQL endpoints on the internet? Step 3: Make a faster version, in golang. https://github.com/Escape-Technologies/goctopus We now have 2449 public GraphQL endpoints
2. Testing endpoints for advanced security flaws
The two problems when testing GraphQL APIs Problem 1: It’s hard to automate API testing.
The two problems when testing GraphQL APIs Solution 1 : Feedback driven API Exploration
The two problems when testing GraphQL APIs Solution 1 : Feedback driven API Exploration
The two problems when testing GraphQL APIs Problem 2 : GraphQL is a Graph 1. stripe_token
The two problems when testing GraphQL APIs Solution 2 : Recursively explore all paths in the graph 1. stripe_token
Now, what to test? https://docs.escape.tech/advanced-usage/security_tests
Now, what to test? ● Rate limits https://docs.escape.tech/advanced-usage/security_tests
Now, what to test? ● Rate limits ● Query size limits https://docs.escape.tech/advanced-usage/security_tests
Now, what to test? ● Rate limits ● Query size limits ● BOLA (Broken Object Level Authorization) https://docs.escape.tech/advanced-usage/security_tests
Now, what to test? ● Rate limits ● Query size limits ● BOLA (Broken Object Level Authorization) ● HTTP Errors (500 errors, SSL/TLS) https://docs.escape.tech/advanced-usage/security_tests
Now, what to test? ● Rate limits ● Query size limits ● BOLA (Broken Object Level Authorization) ● HTTP Errors (500 errors, SSL/TLS) ● Information Disclosure (Server version, Stack traces) https://docs.escape.tech/advanced-usage/security_tests
Now, what to test? ● Rate limits ● Query size limits ● BOLA (Broken Object Level Authorization) ● HTTP Errors (500 errors, SSL/TLS) ● Information Disclosure (Server version, Stack traces) ● Request Forgery https://docs.escape.tech/advanced-usage/security_tests
Now, what to test? ● Rate limits ● Query size limits ● BOLA (Broken Object Level Authorization) ● HTTP Errors (500 errors, SSL/TLS) ● Information Disclosure (Server version, Stack traces) ● Request Forgery ● Injections https://docs.escape.tech/advanced-usage/security_tests
Now, what to test? ● Rate limits ● Query size limits ● BOLA (Broken Object Level Authorization) ● HTTP Errors (500 errors, SSL/TLS) ● Information Disclosure (Server version, Stack traces) ● Request Forgery ● Injections ● Sensitive Data Leaks https://docs.escape.tech/advanced-usage/security_tests
3. Results analysis
1,599 Endpoints scanned
1,599 Endpoints scanned 416 cumulative scan hours
1,599 Endpoints scanned 416 cumulative scan hours 46,809 security alerts raised
How many alerts per application?
Which severity and type?
Breaking down vulnerabilities (1/2)
Breaking down vulnerabilities (2/2)
Top vulnerabilities: mostly GraphQL Specific
Top vulnerability 1: Limit Batching and Aliasing Batching: Multiple GraphQL Queries in one HTTP Request Aliasing: The same fields multiple times with aliases
Top vulnerability 1: Limit Batching and Aliasing The problem: can be used to bypass rate limiting on login mutations = Bruteforce attack
Top vulnerability 2: Directive Overloading The problem: Directives are hard to process server side. Can be used to trigger DoS 150ms 100kb request 1 min
Top vulnerability 3: Recursive Fragments Fragments: a piece of logic that can be shared between multiple queries
Top vulnerability 3: Recursive Fragments The problem: What if a fragment calls itself? Oops, you got an infinite recursion.
Top vulnerability 4: Field suggestion schema leak The problem: Endpoints with disabled introspection still leaks underlying API Schema through field suggestion
No introspection? Disable field suggestion The problem: Endpoints with disabled introspection still leaks underlying API Schema through field suggestion using open source tool Clairvoyance, anybody can build back the full Schema.
Summary about common GraphQL vulnerabilities: 1. Batching and Aliasing Attacks 2. Directive Overloading 3. Recursive Fragments 4. Field suggestion leaking Schema To go further: https:/ /escape.tech/blog/pentest101/
Bonus: Sensitive data made public
4,493 potential data leaks found.
Sensitive data found in the wild
All this, using unauthenticated GET requests
Conclusion: ● found and scanned 1500 Public GraphQL endpoints in the wild ● Highlighted numerous vulnerabilities, most frequently GraphQL Specific, but not only ● Access control flaws and secret leaking are *very* frequent in GraphQL
Thanks for listening!
GraphQL Security & Monitoring escape.tech ✉ tristan@escape.tech @tristankalos

Recommended

INTERFACE by apidays 2023 - Production Ready GraphQL, Antoine Carossio & Tri...
INTERFACE by apidays 2023 - Production Ready GraphQL, Antoine Carossio & Tri...INTERFACE by apidays 2023 - Production Ready GraphQL, Antoine Carossio & Tri...
INTERFACE by apidays 2023 - Production Ready GraphQL, Antoine Carossio & Tri...
apidays
 
Data-driven development with GraphQL and Flow
Data-driven development with GraphQL and FlowData-driven development with GraphQL and Flow
Data-driven development with GraphQL and Flow
Kang Jin Chia
 
Speedy TDD with Rails
Speedy TDD with RailsSpeedy TDD with Rails
Speedy TDD with Rails
PatchSpace Ltd
 
Effective and Efficient API Misuse Detection via Exception Propagation and Se...
Effective and Efficient API Misuse Detection via Exception Propagation and Se...Effective and Efficient API Misuse Detection via Exception Propagation and Se...
Effective and Efficient API Misuse Detection via Exception Propagation and Se...
XavierDevroey
 
Implementing OpenAPI and GraphQL services with gRPC
Implementing OpenAPI and GraphQL services with gRPCImplementing OpenAPI and GraphQL services with gRPC
Implementing OpenAPI and GraphQL services with gRPC
Tim Burks
 
Unlocking the Power of ChatGPT and AI in Testing - NextSteps, presented by Ap...
Unlocking the Power of ChatGPT and AI in Testing - NextSteps, presented by Ap...Unlocking the Power of ChatGPT and AI in Testing - NextSteps, presented by Ap...
Unlocking the Power of ChatGPT and AI in Testing - NextSteps, presented by Ap...
Applitools
 
GraphQL-ify your APIs
GraphQL-ify your APIsGraphQL-ify your APIs
GraphQL-ify your APIs
Soham Dasgupta
 
Diagnose Your Microservices
Diagnose Your MicroservicesDiagnose Your Microservices
Diagnose Your Microservices
Marcus Hirt
 

Recommended

INTERFACE by apidays 2023 - Production Ready GraphQL, Antoine Carossio & Tri...
INTERFACE by apidays 2023 - Production Ready GraphQL, Antoine Carossio & Tri...INTERFACE by apidays 2023 - Production Ready GraphQL, Antoine Carossio & Tri...
INTERFACE by apidays 2023 - Production Ready GraphQL, Antoine Carossio & Tri...
apidays
 
Data-driven development with GraphQL and Flow
Data-driven development with GraphQL and FlowData-driven development with GraphQL and Flow
Data-driven development with GraphQL and Flow
Kang Jin Chia
 
Speedy TDD with Rails
Speedy TDD with RailsSpeedy TDD with Rails
Speedy TDD with Rails
PatchSpace Ltd
 
Effective and Efficient API Misuse Detection via Exception Propagation and Se...
Effective and Efficient API Misuse Detection via Exception Propagation and Se...Effective and Efficient API Misuse Detection via Exception Propagation and Se...
Effective and Efficient API Misuse Detection via Exception Propagation and Se...
XavierDevroey
 
Implementing OpenAPI and GraphQL services with gRPC
Implementing OpenAPI and GraphQL services with gRPCImplementing OpenAPI and GraphQL services with gRPC
Implementing OpenAPI and GraphQL services with gRPC
Tim Burks
 
Unlocking the Power of ChatGPT and AI in Testing - NextSteps, presented by Ap...
Unlocking the Power of ChatGPT and AI in Testing - NextSteps, presented by Ap...Unlocking the Power of ChatGPT and AI in Testing - NextSteps, presented by Ap...
Unlocking the Power of ChatGPT and AI in Testing - NextSteps, presented by Ap...
Applitools
 
GraphQL-ify your APIs
GraphQL-ify your APIsGraphQL-ify your APIs
GraphQL-ify your APIs
Soham Dasgupta
 
Diagnose Your Microservices
Diagnose Your MicroservicesDiagnose Your Microservices
Diagnose Your Microservices
Marcus Hirt
 
gRPC, GraphQL, REST - Which API Tech to use - API Conference Berlin oct 20
gRPC, GraphQL, REST - Which API Tech to use - API Conference Berlin oct 20gRPC, GraphQL, REST - Which API Tech to use - API Conference Berlin oct 20
gRPC, GraphQL, REST - Which API Tech to use - API Conference Berlin oct 20
Phil Wilkins
 
GraphQL & Ratpack
GraphQL & RatpackGraphQL & Ratpack
GraphQL & Ratpack
Mario García
 
Distributed tracing
Distributed tracingDistributed tracing
Distributed tracing
nishantmodak
 
apidays LIVE Helsinki - Implementing OpenAPI and GraphQL Services with gRPC b...
apidays LIVE Helsinki - Implementing OpenAPI and GraphQL Services with gRPC b...apidays LIVE Helsinki - Implementing OpenAPI and GraphQL Services with gRPC b...
apidays LIVE Helsinki - Implementing OpenAPI and GraphQL Services with gRPC b...
apidays
 
Exposing GraphQLs as Managed APIs
Exposing GraphQLs as Managed APIsExposing GraphQLs as Managed APIs
Exposing GraphQLs as Managed APIs
WSO2
 
Gopher in performance_tales_ms_go_cracow
Gopher in performance_tales_ms_go_cracowGopher in performance_tales_ms_go_cracow
Gopher in performance_tales_ms_go_cracow
MateuszSzczyrzyca
 
GraphQL_devoxx_2023.pptx
GraphQL_devoxx_2023.pptxGraphQL_devoxx_2023.pptx
GraphQL_devoxx_2023.pptx
Soham Dasgupta
 
Taming the Testing Beast - AgileDC 2012
Taming the Testing Beast - AgileDC 2012Taming the Testing Beast - AgileDC 2012
Taming the Testing Beast - AgileDC 2012
Daniel Doubrovkine
 
apidays LIVE Paris - GraphQL meshes by Jens Neuse
apidays LIVE Paris - GraphQL meshes by Jens Neuseapidays LIVE Paris - GraphQL meshes by Jens Neuse
apidays LIVE Paris - GraphQL meshes by Jens Neuse
apidays
 
[AnDevCon 2016] Mutation Testing for Android
[AnDevCon 2016] Mutation Testing for Android[AnDevCon 2016] Mutation Testing for Android
[AnDevCon 2016] Mutation Testing for Android
Hazem Saleh
 
OnAndroidConf 2013: Accelerating the Android Platform Build
OnAndroidConf 2013: Accelerating the Android Platform BuildOnAndroidConf 2013: Accelerating the Android Platform Build
OnAndroidConf 2013: Accelerating the Android Platform Build
David Rosen
 
GraphQL - A query language to empower your API consumers (NDC Sydney 2017)
GraphQL - A query language to empower your API consumers (NDC Sydney 2017)GraphQL - A query language to empower your API consumers (NDC Sydney 2017)
GraphQL - A query language to empower your API consumers (NDC Sydney 2017)
Rob Crowley
 
Become a Performance Diagnostics Hero
Become a Performance Diagnostics HeroBecome a Performance Diagnostics Hero
Become a Performance Diagnostics Hero
TechWell
 
AQAvit: Vitality through Testing
AQAvit: Vitality through TestingAQAvit: Vitality through Testing
AQAvit: Vitality through Testing
Shelley Lambert
 
Boost your APIs with GraphQL
Boost your APIs with GraphQLBoost your APIs with GraphQL
Boost your APIs with GraphQL
Jean-Francois James
 
How easy (or hard) it is to monitor your graph ql service performance
How easy (or hard) it is to monitor your graph ql service performanceHow easy (or hard) it is to monitor your graph ql service performance
How easy (or hard) it is to monitor your graph ql service performance
Red Hat
 
Codemotion 2015 spock_workshop
Codemotion 2015 spock_workshopCodemotion 2015 spock_workshop
Codemotion 2015 spock_workshop
Fernando Redondo Ramírez
 
apidays Hong Kong - Attack API Architecture, Alvin Tam, Hong Kong Computer So...
apidays Hong Kong - Attack API Architecture, Alvin Tam, Hong Kong Computer So...apidays Hong Kong - Attack API Architecture, Alvin Tam, Hong Kong Computer So...
apidays Hong Kong - Attack API Architecture, Alvin Tam, Hong Kong Computer So...
apidays
 
Fasten Industry Meeting with GitHub about Dependancy Management
Fasten Industry Meeting with GitHub about Dependancy ManagementFasten Industry Meeting with GitHub about Dependancy Management
Fasten Industry Meeting with GitHub about Dependancy Management
Fasten Project
 
OpenDaylight Developer Experience 2.0
OpenDaylight Developer Experience 2.0 OpenDaylight Developer Experience 2.0
OpenDaylight Developer Experience 2.0
Michael Vorburger
 
Apidays Helsinki 2024 - APIs ahoy, the case of Customer Booking APIs in Finn...
Apidays Helsinki 2024 - APIs ahoy, the case of Customer Booking APIs in Finn...Apidays Helsinki 2024 - APIs ahoy, the case of Customer Booking APIs in Finn...
Apidays Helsinki 2024 - APIs ahoy, the case of Customer Booking APIs in Finn...
apidays
 
Apidays Helsinki 2024 - From Chaos to Calm- Navigating Emerging API Security...
Apidays Helsinki 2024 - From Chaos to Calm- Navigating Emerging API Security...Apidays Helsinki 2024 - From Chaos to Calm- Navigating Emerging API Security...
Apidays Helsinki 2024 - From Chaos to Calm- Navigating Emerging API Security...
apidays
 

More Related Content

Similar to APIsecure 2023 - Discovering GraphQL Vulnerabilities in the Wild, Tristan Kalos & Antoine Carossio, Escape

gRPC, GraphQL, REST - Which API Tech to use - API Conference Berlin oct 20
gRPC, GraphQL, REST - Which API Tech to use - API Conference Berlin oct 20gRPC, GraphQL, REST - Which API Tech to use - API Conference Berlin oct 20
gRPC, GraphQL, REST - Which API Tech to use - API Conference Berlin oct 20
Phil Wilkins
 
GraphQL & Ratpack
GraphQL & RatpackGraphQL & Ratpack
GraphQL & Ratpack
Mario García
 
Distributed tracing
Distributed tracingDistributed tracing
Distributed tracing
nishantmodak
 
apidays LIVE Helsinki - Implementing OpenAPI and GraphQL Services with gRPC b...
apidays LIVE Helsinki - Implementing OpenAPI and GraphQL Services with gRPC b...apidays LIVE Helsinki - Implementing OpenAPI and GraphQL Services with gRPC b...
apidays LIVE Helsinki - Implementing OpenAPI and GraphQL Services with gRPC b...
apidays
 
Exposing GraphQLs as Managed APIs
Exposing GraphQLs as Managed APIsExposing GraphQLs as Managed APIs
Exposing GraphQLs as Managed APIs
WSO2
 
Gopher in performance_tales_ms_go_cracow
Gopher in performance_tales_ms_go_cracowGopher in performance_tales_ms_go_cracow
Gopher in performance_tales_ms_go_cracow
MateuszSzczyrzyca
 
GraphQL_devoxx_2023.pptx
GraphQL_devoxx_2023.pptxGraphQL_devoxx_2023.pptx
GraphQL_devoxx_2023.pptx
Soham Dasgupta
 
Taming the Testing Beast - AgileDC 2012
Taming the Testing Beast - AgileDC 2012Taming the Testing Beast - AgileDC 2012
Taming the Testing Beast - AgileDC 2012
Daniel Doubrovkine
 
apidays LIVE Paris - GraphQL meshes by Jens Neuse
apidays LIVE Paris - GraphQL meshes by Jens Neuseapidays LIVE Paris - GraphQL meshes by Jens Neuse
apidays LIVE Paris - GraphQL meshes by Jens Neuse
apidays
 
[AnDevCon 2016] Mutation Testing for Android
[AnDevCon 2016] Mutation Testing for Android[AnDevCon 2016] Mutation Testing for Android
[AnDevCon 2016] Mutation Testing for Android
Hazem Saleh
 
OnAndroidConf 2013: Accelerating the Android Platform Build
OnAndroidConf 2013: Accelerating the Android Platform BuildOnAndroidConf 2013: Accelerating the Android Platform Build
OnAndroidConf 2013: Accelerating the Android Platform Build
David Rosen
 
GraphQL - A query language to empower your API consumers (NDC Sydney 2017)
GraphQL - A query language to empower your API consumers (NDC Sydney 2017)GraphQL - A query language to empower your API consumers (NDC Sydney 2017)
GraphQL - A query language to empower your API consumers (NDC Sydney 2017)
Rob Crowley
 
Become a Performance Diagnostics Hero
Become a Performance Diagnostics HeroBecome a Performance Diagnostics Hero
Become a Performance Diagnostics Hero
TechWell
 
AQAvit: Vitality through Testing
AQAvit: Vitality through TestingAQAvit: Vitality through Testing
AQAvit: Vitality through Testing
Shelley Lambert
 
Boost your APIs with GraphQL
Boost your APIs with GraphQLBoost your APIs with GraphQL
Boost your APIs with GraphQL
Jean-Francois James
 
How easy (or hard) it is to monitor your graph ql service performance
How easy (or hard) it is to monitor your graph ql service performanceHow easy (or hard) it is to monitor your graph ql service performance
How easy (or hard) it is to monitor your graph ql service performance
Red Hat
 
Codemotion 2015 spock_workshop
Codemotion 2015 spock_workshopCodemotion 2015 spock_workshop
Codemotion 2015 spock_workshop
Fernando Redondo Ramírez
 
apidays Hong Kong - Attack API Architecture, Alvin Tam, Hong Kong Computer So...
apidays Hong Kong - Attack API Architecture, Alvin Tam, Hong Kong Computer So...apidays Hong Kong - Attack API Architecture, Alvin Tam, Hong Kong Computer So...
apidays Hong Kong - Attack API Architecture, Alvin Tam, Hong Kong Computer So...
apidays
 
Fasten Industry Meeting with GitHub about Dependancy Management
Fasten Industry Meeting with GitHub about Dependancy ManagementFasten Industry Meeting with GitHub about Dependancy Management
Fasten Industry Meeting with GitHub about Dependancy Management
Fasten Project
 
OpenDaylight Developer Experience 2.0
OpenDaylight Developer Experience 2.0 OpenDaylight Developer Experience 2.0
OpenDaylight Developer Experience 2.0
Michael Vorburger
 

Similar to APIsecure 2023 - Discovering GraphQL Vulnerabilities in the Wild, Tristan Kalos & Antoine Carossio, Escape (20)

gRPC, GraphQL, REST - Which API Tech to use - API Conference Berlin oct 20
gRPC, GraphQL, REST - Which API Tech to use - API Conference Berlin oct 20gRPC, GraphQL, REST - Which API Tech to use - API Conference Berlin oct 20
gRPC, GraphQL, REST - Which API Tech to use - API Conference Berlin oct 20
 
GraphQL & Ratpack
GraphQL & RatpackGraphQL & Ratpack
GraphQL & Ratpack
 
Distributed tracing
Distributed tracingDistributed tracing
Distributed tracing
 
apidays LIVE Helsinki - Implementing OpenAPI and GraphQL Services with gRPC b...
apidays LIVE Helsinki - Implementing OpenAPI and GraphQL Services with gRPC b...apidays LIVE Helsinki - Implementing OpenAPI and GraphQL Services with gRPC b...
apidays LIVE Helsinki - Implementing OpenAPI and GraphQL Services with gRPC b...
 
Exposing GraphQLs as Managed APIs
Exposing GraphQLs as Managed APIsExposing GraphQLs as Managed APIs
Exposing GraphQLs as Managed APIs
 
Gopher in performance_tales_ms_go_cracow
Gopher in performance_tales_ms_go_cracowGopher in performance_tales_ms_go_cracow
Gopher in performance_tales_ms_go_cracow
 
GraphQL_devoxx_2023.pptx
GraphQL_devoxx_2023.pptxGraphQL_devoxx_2023.pptx
GraphQL_devoxx_2023.pptx
 
Taming the Testing Beast - AgileDC 2012
Taming the Testing Beast - AgileDC 2012Taming the Testing Beast - AgileDC 2012
Taming the Testing Beast - AgileDC 2012
 
apidays LIVE Paris - GraphQL meshes by Jens Neuse
apidays LIVE Paris - GraphQL meshes by Jens Neuseapidays LIVE Paris - GraphQL meshes by Jens Neuse
apidays LIVE Paris - GraphQL meshes by Jens Neuse
 
[AnDevCon 2016] Mutation Testing for Android
[AnDevCon 2016] Mutation Testing for Android[AnDevCon 2016] Mutation Testing for Android
[AnDevCon 2016] Mutation Testing for Android
 
OnAndroidConf 2013: Accelerating the Android Platform Build
OnAndroidConf 2013: Accelerating the Android Platform BuildOnAndroidConf 2013: Accelerating the Android Platform Build
OnAndroidConf 2013: Accelerating the Android Platform Build
 
GraphQL - A query language to empower your API consumers (NDC Sydney 2017)
GraphQL - A query language to empower your API consumers (NDC Sydney 2017)GraphQL - A query language to empower your API consumers (NDC Sydney 2017)
GraphQL - A query language to empower your API consumers (NDC Sydney 2017)
 
Become a Performance Diagnostics Hero
Become a Performance Diagnostics HeroBecome a Performance Diagnostics Hero
Become a Performance Diagnostics Hero
 
AQAvit: Vitality through Testing
AQAvit: Vitality through TestingAQAvit: Vitality through Testing
AQAvit: Vitality through Testing
 
Boost your APIs with GraphQL
Boost your APIs with GraphQLBoost your APIs with GraphQL
Boost your APIs with GraphQL
 
How easy (or hard) it is to monitor your graph ql service performance
How easy (or hard) it is to monitor your graph ql service performanceHow easy (or hard) it is to monitor your graph ql service performance
How easy (or hard) it is to monitor your graph ql service performance
 
Codemotion 2015 spock_workshop
Codemotion 2015 spock_workshopCodemotion 2015 spock_workshop
Codemotion 2015 spock_workshop
 
apidays Hong Kong - Attack API Architecture, Alvin Tam, Hong Kong Computer So...
apidays Hong Kong - Attack API Architecture, Alvin Tam, Hong Kong Computer So...apidays Hong Kong - Attack API Architecture, Alvin Tam, Hong Kong Computer So...
apidays Hong Kong - Attack API Architecture, Alvin Tam, Hong Kong Computer So...
 
Fasten Industry Meeting with GitHub about Dependancy Management
Fasten Industry Meeting with GitHub about Dependancy ManagementFasten Industry Meeting with GitHub about Dependancy Management
Fasten Industry Meeting with GitHub about Dependancy Management
 
OpenDaylight Developer Experience 2.0
OpenDaylight Developer Experience 2.0 OpenDaylight Developer Experience 2.0
OpenDaylight Developer Experience 2.0
 

More from apidays

Apidays Helsinki 2024 - APIs ahoy, the case of Customer Booking APIs in Finn...
Apidays Helsinki 2024 - APIs ahoy, the case of Customer Booking APIs in Finn...Apidays Helsinki 2024 - APIs ahoy, the case of Customer Booking APIs in Finn...
Apidays Helsinki 2024 - APIs ahoy, the case of Customer Booking APIs in Finn...
apidays
 
Apidays Helsinki 2024 - From Chaos to Calm- Navigating Emerging API Security...
Apidays Helsinki 2024 - From Chaos to Calm- Navigating Emerging API Security...Apidays Helsinki 2024 - From Chaos to Calm- Navigating Emerging API Security...
Apidays Helsinki 2024 - From Chaos to Calm- Navigating Emerging API Security...
apidays
 
Apidays Helsinki 2024 - What is next now that your organization created a (si...
Apidays Helsinki 2024 - What is next now that your organization created a (si...Apidays Helsinki 2024 - What is next now that your organization created a (si...
Apidays Helsinki 2024 - What is next now that your organization created a (si...
apidays
 
Apidays Helsinki 2024 - There’s no AI without API, but what does this mean fo...
Apidays Helsinki 2024 - There’s no AI without API, but what does this mean fo...Apidays Helsinki 2024 - There’s no AI without API, but what does this mean fo...
Apidays Helsinki 2024 - There’s no AI without API, but what does this mean fo...
apidays
 
Apidays Helsinki 2024 - Sustainable IT and API Performance - How to Bring The...
Apidays Helsinki 2024 - Sustainable IT and API Performance - How to Bring The...Apidays Helsinki 2024 - Sustainable IT and API Performance - How to Bring The...
Apidays Helsinki 2024 - Sustainable IT and API Performance - How to Bring The...
apidays
 
Apidays Helsinki 2024 - Security Vulnerabilities in your APIs by Lukáš Ďurovs...
Apidays Helsinki 2024 - Security Vulnerabilities in your APIs by Lukáš Ďurovs...Apidays Helsinki 2024 - Security Vulnerabilities in your APIs by Lukáš Ďurovs...
Apidays Helsinki 2024 - Security Vulnerabilities in your APIs by Lukáš Ďurovs...
apidays
 
Apidays Helsinki 2024 - Data, API’s and Banks, with AI on top by Sergio Giral...
Apidays Helsinki 2024 - Data, API’s and Banks, with AI on top by Sergio Giral...Apidays Helsinki 2024 - Data, API’s and Banks, with AI on top by Sergio Giral...
Apidays Helsinki 2024 - Data, API’s and Banks, with AI on top by Sergio Giral...
apidays
 
Apidays Helsinki 2024 - Data Ecosystems Driving the Green Transition by Olli ...
Apidays Helsinki 2024 - Data Ecosystems Driving the Green Transition by Olli ...Apidays Helsinki 2024 - Data Ecosystems Driving the Green Transition by Olli ...
Apidays Helsinki 2024 - Data Ecosystems Driving the Green Transition by Olli ...
apidays
 
Apidays Helsinki 2024 - Bridging the Gap Between Backend and Frontend API Tes...
Apidays Helsinki 2024 - Bridging the Gap Between Backend and Frontend API Tes...Apidays Helsinki 2024 - Bridging the Gap Between Backend and Frontend API Tes...
Apidays Helsinki 2024 - Bridging the Gap Between Backend and Frontend API Tes...
apidays
 
Apidays Helsinki 2024 - API Compliance by Design by Marjukka Niinioja, Osaango
Apidays Helsinki 2024 - API Compliance by Design by Marjukka Niinioja, OsaangoApidays Helsinki 2024 - API Compliance by Design by Marjukka Niinioja, Osaango
Apidays Helsinki 2024 - API Compliance by Design by Marjukka Niinioja, Osaango
apidays
 
Apidays Helsinki 2024 - ABLOY goes API economy – Transformation story by Hann...
Apidays Helsinki 2024 - ABLOY goes API economy – Transformation story by Hann...Apidays Helsinki 2024 - ABLOY goes API economy – Transformation story by Hann...
Apidays Helsinki 2024 - ABLOY goes API economy – Transformation story by Hann...
apidays
 
Apidays New York 2024 - The subtle art of API rate limiting by Josh Twist, Zuplo
Apidays New York 2024 - The subtle art of API rate limiting by Josh Twist, ZuploApidays New York 2024 - The subtle art of API rate limiting by Josh Twist, Zuplo
Apidays New York 2024 - The subtle art of API rate limiting by Josh Twist, Zuplo
apidays
 
Apidays New York 2024 - RESTful API Patterns and Practices by Mike Amundsen, ...
Apidays New York 2024 - RESTful API Patterns and Practices by Mike Amundsen, ...Apidays New York 2024 - RESTful API Patterns and Practices by Mike Amundsen, ...
Apidays New York 2024 - RESTful API Patterns and Practices by Mike Amundsen, ...
apidays
 
Apidays New York 2024 - Putting AI into API Security by Corey Ball, Moss Adams
Apidays New York 2024 - Putting AI into API Security by Corey Ball, Moss AdamsApidays New York 2024 - Putting AI into API Security by Corey Ball, Moss Adams
Apidays New York 2024 - Putting AI into API Security by Corey Ball, Moss Adams
apidays
 
Apidays New York 2024 - Prototype-first - A modern API development workflow b...
Apidays New York 2024 - Prototype-first - A modern API development workflow b...Apidays New York 2024 - Prototype-first - A modern API development workflow b...
Apidays New York 2024 - Prototype-first - A modern API development workflow b...
apidays
 
Apidays New York 2024 - Post-Quantum API Security by Francois Lascelles, Broa...
Apidays New York 2024 - Post-Quantum API Security by Francois Lascelles, Broa...Apidays New York 2024 - Post-Quantum API Security by Francois Lascelles, Broa...
Apidays New York 2024 - Post-Quantum API Security by Francois Lascelles, Broa...
apidays
 
Apidays New York 2024 - Increase your productivity with no-code GraphQL mocki...
Apidays New York 2024 - Increase your productivity with no-code GraphQL mocki...Apidays New York 2024 - Increase your productivity with no-code GraphQL mocki...
Apidays New York 2024 - Increase your productivity with no-code GraphQL mocki...
apidays
 
Apidays New York 2024 - Driving API & EDA Success by Marcelo Caponi, Danone
Apidays New York 2024 - Driving API & EDA Success by Marcelo Caponi, DanoneApidays New York 2024 - Driving API & EDA Success by Marcelo Caponi, Danone
Apidays New York 2024 - Driving API & EDA Success by Marcelo Caponi, Danone
apidays
 
Apidays New York 2024 - Build a terrible API for people you hate by Jim Benne...
Apidays New York 2024 - Build a terrible API for people you hate by Jim Benne...Apidays New York 2024 - Build a terrible API for people you hate by Jim Benne...
Apidays New York 2024 - Build a terrible API for people you hate by Jim Benne...
apidays
 
Apidays New York 2024 - API Secret Tokens Exposed by Tristan Kalos and Antoin...
Apidays New York 2024 - API Secret Tokens Exposed by Tristan Kalos and Antoin...Apidays New York 2024 - API Secret Tokens Exposed by Tristan Kalos and Antoin...
Apidays New York 2024 - API Secret Tokens Exposed by Tristan Kalos and Antoin...
apidays
 

More from apidays (20)

Apidays Helsinki 2024 - APIs ahoy, the case of Customer Booking APIs in Finn...
Apidays Helsinki 2024 - APIs ahoy, the case of Customer Booking APIs in Finn...Apidays Helsinki 2024 - APIs ahoy, the case of Customer Booking APIs in Finn...
Apidays Helsinki 2024 - APIs ahoy, the case of Customer Booking APIs in Finn...
 
Apidays Helsinki 2024 - From Chaos to Calm- Navigating Emerging API Security...
Apidays Helsinki 2024 - From Chaos to Calm- Navigating Emerging API Security...Apidays Helsinki 2024 - From Chaos to Calm- Navigating Emerging API Security...
Apidays Helsinki 2024 - From Chaos to Calm- Navigating Emerging API Security...
 
Apidays Helsinki 2024 - What is next now that your organization created a (si...
Apidays Helsinki 2024 - What is next now that your organization created a (si...Apidays Helsinki 2024 - What is next now that your organization created a (si...
Apidays Helsinki 2024 - What is next now that your organization created a (si...
 
Apidays Helsinki 2024 - There’s no AI without API, but what does this mean fo...
Apidays Helsinki 2024 - There’s no AI without API, but what does this mean fo...Apidays Helsinki 2024 - There’s no AI without API, but what does this mean fo...
Apidays Helsinki 2024 - There’s no AI without API, but what does this mean fo...
 
Apidays Helsinki 2024 - Sustainable IT and API Performance - How to Bring The...
Apidays Helsinki 2024 - Sustainable IT and API Performance - How to Bring The...Apidays Helsinki 2024 - Sustainable IT and API Performance - How to Bring The...
Apidays Helsinki 2024 - Sustainable IT and API Performance - How to Bring The...
 
Apidays Helsinki 2024 - Security Vulnerabilities in your APIs by Lukáš Ďurovs...
Apidays Helsinki 2024 - Security Vulnerabilities in your APIs by Lukáš Ďurovs...Apidays Helsinki 2024 - Security Vulnerabilities in your APIs by Lukáš Ďurovs...
Apidays Helsinki 2024 - Security Vulnerabilities in your APIs by Lukáš Ďurovs...
 
Apidays Helsinki 2024 - Data, API’s and Banks, with AI on top by Sergio Giral...
Apidays Helsinki 2024 - Data, API’s and Banks, with AI on top by Sergio Giral...Apidays Helsinki 2024 - Data, API’s and Banks, with AI on top by Sergio Giral...
Apidays Helsinki 2024 - Data, API’s and Banks, with AI on top by Sergio Giral...
 
Apidays Helsinki 2024 - Data Ecosystems Driving the Green Transition by Olli ...
Apidays Helsinki 2024 - Data Ecosystems Driving the Green Transition by Olli ...Apidays Helsinki 2024 - Data Ecosystems Driving the Green Transition by Olli ...
Apidays Helsinki 2024 - Data Ecosystems Driving the Green Transition by Olli ...
 
Apidays Helsinki 2024 - Bridging the Gap Between Backend and Frontend API Tes...
Apidays Helsinki 2024 - Bridging the Gap Between Backend and Frontend API Tes...Apidays Helsinki 2024 - Bridging the Gap Between Backend and Frontend API Tes...
Apidays Helsinki 2024 - Bridging the Gap Between Backend and Frontend API Tes...
 
Apidays Helsinki 2024 - API Compliance by Design by Marjukka Niinioja, Osaango
Apidays Helsinki 2024 - API Compliance by Design by Marjukka Niinioja, OsaangoApidays Helsinki 2024 - API Compliance by Design by Marjukka Niinioja, Osaango
Apidays Helsinki 2024 - API Compliance by Design by Marjukka Niinioja, Osaango
 
Apidays Helsinki 2024 - ABLOY goes API economy – Transformation story by Hann...
Apidays Helsinki 2024 - ABLOY goes API economy – Transformation story by Hann...Apidays Helsinki 2024 - ABLOY goes API economy – Transformation story by Hann...
Apidays Helsinki 2024 - ABLOY goes API economy – Transformation story by Hann...
 
Apidays New York 2024 - The subtle art of API rate limiting by Josh Twist, Zuplo
Apidays New York 2024 - The subtle art of API rate limiting by Josh Twist, ZuploApidays New York 2024 - The subtle art of API rate limiting by Josh Twist, Zuplo
Apidays New York 2024 - The subtle art of API rate limiting by Josh Twist, Zuplo
 
Apidays New York 2024 - RESTful API Patterns and Practices by Mike Amundsen, ...
Apidays New York 2024 - RESTful API Patterns and Practices by Mike Amundsen, ...Apidays New York 2024 - RESTful API Patterns and Practices by Mike Amundsen, ...
Apidays New York 2024 - RESTful API Patterns and Practices by Mike Amundsen, ...
 
Apidays New York 2024 - Putting AI into API Security by Corey Ball, Moss Adams
Apidays New York 2024 - Putting AI into API Security by Corey Ball, Moss AdamsApidays New York 2024 - Putting AI into API Security by Corey Ball, Moss Adams
Apidays New York 2024 - Putting AI into API Security by Corey Ball, Moss Adams
 
Apidays New York 2024 - Prototype-first - A modern API development workflow b...
Apidays New York 2024 - Prototype-first - A modern API development workflow b...Apidays New York 2024 - Prototype-first - A modern API development workflow b...
Apidays New York 2024 - Prototype-first - A modern API development workflow b...
 
Apidays New York 2024 - Post-Quantum API Security by Francois Lascelles, Broa...
Apidays New York 2024 - Post-Quantum API Security by Francois Lascelles, Broa...Apidays New York 2024 - Post-Quantum API Security by Francois Lascelles, Broa...
Apidays New York 2024 - Post-Quantum API Security by Francois Lascelles, Broa...
 
Apidays New York 2024 - Increase your productivity with no-code GraphQL mocki...
Apidays New York 2024 - Increase your productivity with no-code GraphQL mocki...Apidays New York 2024 - Increase your productivity with no-code GraphQL mocki...
Apidays New York 2024 - Increase your productivity with no-code GraphQL mocki...
 
Apidays New York 2024 - Driving API & EDA Success by Marcelo Caponi, Danone
Apidays New York 2024 - Driving API & EDA Success by Marcelo Caponi, DanoneApidays New York 2024 - Driving API & EDA Success by Marcelo Caponi, Danone
Apidays New York 2024 - Driving API & EDA Success by Marcelo Caponi, Danone
 
Apidays New York 2024 - Build a terrible API for people you hate by Jim Benne...
Apidays New York 2024 - Build a terrible API for people you hate by Jim Benne...Apidays New York 2024 - Build a terrible API for people you hate by Jim Benne...
Apidays New York 2024 - Build a terrible API for people you hate by Jim Benne...
 
Apidays New York 2024 - API Secret Tokens Exposed by Tristan Kalos and Antoin...
Apidays New York 2024 - API Secret Tokens Exposed by Tristan Kalos and Antoin...Apidays New York 2024 - API Secret Tokens Exposed by Tristan Kalos and Antoin...
Apidays New York 2024 - API Secret Tokens Exposed by Tristan Kalos and Antoin...
 

Recently uploaded

一比一原版(LBS毕业证)伦敦商学院毕业证成绩单专业办理
一比一原版(LBS毕业证)伦敦商学院毕业证成绩单专业办理一比一原版(LBS毕业证)伦敦商学院毕业证成绩单专业办理
一比一原版(LBS毕业证)伦敦商学院毕业证成绩单专业办理
eutxy
 
Comptia N+ Standard Networking lesson guide
Comptia N+ Standard Networking lesson guideComptia N+ Standard Networking lesson guide
Comptia N+ Standard Networking lesson guide
GTProductions1
 
The+Prospects+of+E-Commerce+in+China.pptx
The+Prospects+of+E-Commerce+in+China.pptxThe+Prospects+of+E-Commerce+in+China.pptx
The+Prospects+of+E-Commerce+in+China.pptx
laozhuseo02
 
Latest trends in computer networking.pptx
Latest trends in computer networking.pptxLatest trends in computer networking.pptx
Latest trends in computer networking.pptx
JungkooksNonexistent
 
How to Use Contact Form 7 Like a Pro.pptx
How to Use Contact Form 7 Like a Pro.pptxHow to Use Contact Form 7 Like a Pro.pptx
How to Use Contact Form 7 Like a Pro.pptx
Gal Baras
 
guildmasters guide to ravnica Dungeons & Dragons 5...
guildmasters guide to ravnica Dungeons & Dragons 5...guildmasters guide to ravnica Dungeons & Dragons 5...
guildmasters guide to ravnica Dungeons & Dragons 5...
Rogerio Filho
 
1比1复刻(bath毕业证书)英国巴斯大学毕业证学位证原版一模一样
1比1复刻(bath毕业证书)英国巴斯大学毕业证学位证原版一模一样1比1复刻(bath毕业证书)英国巴斯大学毕业证学位证原版一模一样
1比1复刻(bath毕业证书)英国巴斯大学毕业证学位证原版一模一样
3ipehhoa
 
Bài tập unit 1 English in the world.docx
Bài tập unit 1 English in the world.docxBài tập unit 1 English in the world.docx
Bài tập unit 1 English in the world.docx
nhiyenphan2005
 
一比一原版(CSU毕业证)加利福尼亚州立大学毕业证成绩单专业办理
一比一原版(CSU毕业证)加利福尼亚州立大学毕业证成绩单专业办理一比一原版(CSU毕业证)加利福尼亚州立大学毕业证成绩单专业办理
一比一原版(CSU毕业证)加利福尼亚州立大学毕业证成绩单专业办理
ufdana
 
Internet of Things in Manufacturing: Revolutionizing Efficiency & Quality | C...
Internet of Things in Manufacturing: Revolutionizing Efficiency & Quality | C...Internet of Things in Manufacturing: Revolutionizing Efficiency & Quality | C...
Internet of Things in Manufacturing: Revolutionizing Efficiency & Quality | C...
CIOWomenMagazine
 
原版仿制(uob毕业证书)英国伯明翰大学毕业证本科学历证书原版一模一样
原版仿制(uob毕业证书)英国伯明翰大学毕业证本科学历证书原版一模一样原版仿制(uob毕业证书)英国伯明翰大学毕业证本科学历证书原版一模一样
原版仿制(uob毕业证书)英国伯明翰大学毕业证本科学历证书原版一模一样
3ipehhoa
 
test test test test testtest test testtest test testtest test testtest test ...
test test test test testtest test testtest test testtest test testtest test ...test test test test testtest test testtest test testtest test testtest test ...
test test test test testtest test testtest test testtest test testtest test ...
Arif0071
 
Meet up Milano 14 _ Axpo Italia_ Migration from Mule3 (On-prem) to.pdf
Meet up Milano 14 _ Axpo Italia_ Migration from Mule3 (On-prem) to.pdfMeet up Milano 14 _ Axpo Italia_ Migration from Mule3 (On-prem) to.pdf
Meet up Milano 14 _ Axpo Italia_ Migration from Mule3 (On-prem) to.pdf
Florence Consulting
 
1.Wireless Communication System_Wireless communication is a broad term that i...
1.Wireless Communication System_Wireless communication is a broad term that i...1.Wireless Communication System_Wireless communication is a broad term that i...
1.Wireless Communication System_Wireless communication is a broad term that i...
JeyaPerumal1
 
History+of+E-commerce+Development+in+China-www.cfye-commerce.shop
History+of+E-commerce+Development+in+China-www.cfye-commerce.shopHistory+of+E-commerce+Development+in+China-www.cfye-commerce.shop
History+of+E-commerce+Development+in+China-www.cfye-commerce.shop
laozhuseo02
 
APNIC Foundation, presented by Ellisha Heppner at the PNG DNS Forum 2024
APNIC Foundation, presented by Ellisha Heppner at the PNG DNS Forum 2024APNIC Foundation, presented by Ellisha Heppner at the PNG DNS Forum 2024
APNIC Foundation, presented by Ellisha Heppner at the PNG DNS Forum 2024
APNIC
 
一比一原版(SLU毕业证)圣路易斯大学毕业证成绩单专业办理
一比一原版(SLU毕业证)圣路易斯大学毕业证成绩单专业办理一比一原版(SLU毕业证)圣路易斯大学毕业证成绩单专业办理
一比一原版(SLU毕业证)圣路易斯大学毕业证成绩单专业办理
keoku
 
Italy Agriculture Equipment Market Outlook to 2027
Italy Agriculture Equipment Market Outlook to 2027Italy Agriculture Equipment Market Outlook to 2027
Italy Agriculture Equipment Market Outlook to 2027
harveenkaur52
 
This 7-second Brain Wave Ritual Attracts Money To You.!
This 7-second Brain Wave Ritual Attracts Money To You.!This 7-second Brain Wave Ritual Attracts Money To You.!
This 7-second Brain Wave Ritual Attracts Money To You.!
nirahealhty
 
Bridging the Digital Gap Brad Spiegel Macon, GA Initiative.pptx
Bridging the Digital Gap Brad Spiegel Macon, GA Initiative.pptxBridging the Digital Gap Brad Spiegel Macon, GA Initiative.pptx
Bridging the Digital Gap Brad Spiegel Macon, GA Initiative.pptx
Brad Spiegel Macon GA
 

Recently uploaded (20)

一比一原版(LBS毕业证)伦敦商学院毕业证成绩单专业办理
一比一原版(LBS毕业证)伦敦商学院毕业证成绩单专业办理一比一原版(LBS毕业证)伦敦商学院毕业证成绩单专业办理
一比一原版(LBS毕业证)伦敦商学院毕业证成绩单专业办理
 
Comptia N+ Standard Networking lesson guide
Comptia N+ Standard Networking lesson guideComptia N+ Standard Networking lesson guide
Comptia N+ Standard Networking lesson guide
 
The+Prospects+of+E-Commerce+in+China.pptx
The+Prospects+of+E-Commerce+in+China.pptxThe+Prospects+of+E-Commerce+in+China.pptx
The+Prospects+of+E-Commerce+in+China.pptx
 
Latest trends in computer networking.pptx
Latest trends in computer networking.pptxLatest trends in computer networking.pptx
Latest trends in computer networking.pptx
 
How to Use Contact Form 7 Like a Pro.pptx
How to Use Contact Form 7 Like a Pro.pptxHow to Use Contact Form 7 Like a Pro.pptx
How to Use Contact Form 7 Like a Pro.pptx
 
guildmasters guide to ravnica Dungeons & Dragons 5...
guildmasters guide to ravnica Dungeons & Dragons 5...guildmasters guide to ravnica Dungeons & Dragons 5...
guildmasters guide to ravnica Dungeons & Dragons 5...
 
1比1复刻(bath毕业证书)英国巴斯大学毕业证学位证原版一模一样
1比1复刻(bath毕业证书)英国巴斯大学毕业证学位证原版一模一样1比1复刻(bath毕业证书)英国巴斯大学毕业证学位证原版一模一样
1比1复刻(bath毕业证书)英国巴斯大学毕业证学位证原版一模一样
 
Bài tập unit 1 English in the world.docx
Bài tập unit 1 English in the world.docxBài tập unit 1 English in the world.docx
Bài tập unit 1 English in the world.docx
 
一比一原版(CSU毕业证)加利福尼亚州立大学毕业证成绩单专业办理
一比一原版(CSU毕业证)加利福尼亚州立大学毕业证成绩单专业办理一比一原版(CSU毕业证)加利福尼亚州立大学毕业证成绩单专业办理
一比一原版(CSU毕业证)加利福尼亚州立大学毕业证成绩单专业办理
 
Internet of Things in Manufacturing: Revolutionizing Efficiency & Quality | C...
Internet of Things in Manufacturing: Revolutionizing Efficiency & Quality | C...Internet of Things in Manufacturing: Revolutionizing Efficiency & Quality | C...
Internet of Things in Manufacturing: Revolutionizing Efficiency & Quality | C...
 
原版仿制(uob毕业证书)英国伯明翰大学毕业证本科学历证书原版一模一样
原版仿制(uob毕业证书)英国伯明翰大学毕业证本科学历证书原版一模一样原版仿制(uob毕业证书)英国伯明翰大学毕业证本科学历证书原版一模一样
原版仿制(uob毕业证书)英国伯明翰大学毕业证本科学历证书原版一模一样
 
test test test test testtest test testtest test testtest test testtest test ...
test test test test testtest test testtest test testtest test testtest test ...test test test test testtest test testtest test testtest test testtest test ...
test test test test testtest test testtest test testtest test testtest test ...
 
Meet up Milano 14 _ Axpo Italia_ Migration from Mule3 (On-prem) to.pdf
Meet up Milano 14 _ Axpo Italia_ Migration from Mule3 (On-prem) to.pdfMeet up Milano 14 _ Axpo Italia_ Migration from Mule3 (On-prem) to.pdf
Meet up Milano 14 _ Axpo Italia_ Migration from Mule3 (On-prem) to.pdf
 
1.Wireless Communication System_Wireless communication is a broad term that i...
1.Wireless Communication System_Wireless communication is a broad term that i...1.Wireless Communication System_Wireless communication is a broad term that i...
1.Wireless Communication System_Wireless communication is a broad term that i...
 
History+of+E-commerce+Development+in+China-www.cfye-commerce.shop
History+of+E-commerce+Development+in+China-www.cfye-commerce.shopHistory+of+E-commerce+Development+in+China-www.cfye-commerce.shop
History+of+E-commerce+Development+in+China-www.cfye-commerce.shop
 
APNIC Foundation, presented by Ellisha Heppner at the PNG DNS Forum 2024
APNIC Foundation, presented by Ellisha Heppner at the PNG DNS Forum 2024APNIC Foundation, presented by Ellisha Heppner at the PNG DNS Forum 2024
APNIC Foundation, presented by Ellisha Heppner at the PNG DNS Forum 2024
 
一比一原版(SLU毕业证)圣路易斯大学毕业证成绩单专业办理
一比一原版(SLU毕业证)圣路易斯大学毕业证成绩单专业办理一比一原版(SLU毕业证)圣路易斯大学毕业证成绩单专业办理
一比一原版(SLU毕业证)圣路易斯大学毕业证成绩单专业办理
 
Italy Agriculture Equipment Market Outlook to 2027
Italy Agriculture Equipment Market Outlook to 2027Italy Agriculture Equipment Market Outlook to 2027
Italy Agriculture Equipment Market Outlook to 2027
 
This 7-second Brain Wave Ritual Attracts Money To You.!
This 7-second Brain Wave Ritual Attracts Money To You.!This 7-second Brain Wave Ritual Attracts Money To You.!
This 7-second Brain Wave Ritual Attracts Money To You.!
 
Bridging the Digital Gap Brad Spiegel Macon, GA Initiative.pptx
Bridging the Digital Gap Brad Spiegel Macon, GA Initiative.pptxBridging the Digital Gap Brad Spiegel Macon, GA Initiative.pptx
Bridging the Digital Gap Brad Spiegel Macon, GA Initiative.pptx
 

APIsecure 2023 - Discovering GraphQL Vulnerabilities in the Wild, Tristan Kalos & Antoine Carossio, Escape

  • 1. Live GraphQL Security Testing escape.tech Discovering GraphQL Vulnerabilities in the Wild
  • 2. Who Am I Tristan Kalos Co-founder & CEO @ Escape – GraphQL Security 󰏃 + 󰎆󰑔󰎼 󰞼 Engineer in Operations Research & 󰛻 MBA 󰳕 Researcher in Machine Learning Applied to Source Code 🛠 Loved GraphQL but struggled to secure it ✉ tristan@escape.tech @tristankalos
  • 3. About Escape - GraphQL Security We created the first fully-featured automated GraphQL Security Testing tool & have an in-house research team on the topic. https://app.escape.tech/
  • 5. GraphQL is a query language for APIs
  • 6. The anatomy of a GraphQL request Operations Fields Directives Parameters Aliases Batches Fragments Query Depth Query Width
  • 7. Why is GraphQL vulnerable? 1 - GraphQL is a full-featured language, leaving more space for malicious requests
  • 8. Why is GraphQL Vulnerable? 2 - GraphQL is a graph, prone to access control problems
  • 10. 1. Finding GraphQL endpoints in the internet 2. Testing endpoints for advanced security flaws 3. Our results
  • 11. How to find public GraphQL endpoints on the internet? Step 1: buy a cheap list of domains
  • 12. How to find public GraphQL endpoints on the internet? Step 2: use our open source GraphQL endpoint finder https://github.com/Escape-Technologies/goctopus
  • 13. How to find public GraphQL endpoints on the internet? But…. We have 1.2M domains. It’s too slow. https://github.com/Escape-Technologies/graphinder
  • 14. How to find public GraphQL endpoints on the internet? Step 3: Make a faster version, in golang. https://github.com/Escape-Technologies/goctopus We now have 2449 public GraphQL endpoints
  • 15. 2. Testing endpoints for advanced security flaws
  • 16. The two problems when testing GraphQL APIs Problem 1: It’s hard to automate API testing.
  • 17. The two problems when testing GraphQL APIs Solution 1 : Feedback driven API Exploration
  • 18. The two problems when testing GraphQL APIs Solution 1 : Feedback driven API Exploration
  • 19. The two problems when testing GraphQL APIs Problem 2 : GraphQL is a Graph 1. stripe_token
  • 20. The two problems when testing GraphQL APIs Solution 2 : Recursively explore all paths in the graph 1. stripe_token
  • 21. Now, what to test? https://docs.escape.tech/advanced-usage/security_tests
  • 22. Now, what to test? ● Rate limits https://docs.escape.tech/advanced-usage/security_tests
  • 23. Now, what to test? ● Rate limits ● Query size limits https://docs.escape.tech/advanced-usage/security_tests
  • 24. Now, what to test? ● Rate limits ● Query size limits ● BOLA (Broken Object Level Authorization) https://docs.escape.tech/advanced-usage/security_tests
  • 25. Now, what to test? ● Rate limits ● Query size limits ● BOLA (Broken Object Level Authorization) ● HTTP Errors (500 errors, SSL/TLS) https://docs.escape.tech/advanced-usage/security_tests
  • 26. Now, what to test? ● Rate limits ● Query size limits ● BOLA (Broken Object Level Authorization) ● HTTP Errors (500 errors, SSL/TLS) ● Information Disclosure (Server version, Stack traces) https://docs.escape.tech/advanced-usage/security_tests
  • 27. Now, what to test? ● Rate limits ● Query size limits ● BOLA (Broken Object Level Authorization) ● HTTP Errors (500 errors, SSL/TLS) ● Information Disclosure (Server version, Stack traces) ● Request Forgery https://docs.escape.tech/advanced-usage/security_tests
  • 28. Now, what to test? ● Rate limits ● Query size limits ● BOLA (Broken Object Level Authorization) ● HTTP Errors (500 errors, SSL/TLS) ● Information Disclosure (Server version, Stack traces) ● Request Forgery ● Injections https://docs.escape.tech/advanced-usage/security_tests
  • 29. Now, what to test? ● Rate limits ● Query size limits ● BOLA (Broken Object Level Authorization) ● HTTP Errors (500 errors, SSL/TLS) ● Information Disclosure (Server version, Stack traces) ● Request Forgery ● Injections ● Sensitive Data Leaks https://docs.escape.tech/advanced-usage/security_tests
  • 33. 1,599 Endpoints scanned 416 cumulative scan hours 46,809 security alerts raised
  • 34. How many alerts per application?
  • 38. Top vulnerabilities: mostly GraphQL Specific
  • 39. Top vulnerability 1: Limit Batching and Aliasing Batching: Multiple GraphQL Queries in one HTTP Request Aliasing: The same fields multiple times with aliases
  • 40. Top vulnerability 1: Limit Batching and Aliasing The problem: can be used to bypass rate limiting on login mutations = Bruteforce attack
  • 41. Top vulnerability 2: Directive Overloading The problem: Directives are hard to process server side. Can be used to trigger DoS 150ms 100kb request 1 min
  • 42. Top vulnerability 3: Recursive Fragments Fragments: a piece of logic that can be shared between multiple queries
  • 43. Top vulnerability 3: Recursive Fragments The problem: What if a fragment calls itself? Oops, you got an infinite recursion.
  • 44. Top vulnerability 4: Field suggestion schema leak The problem: Endpoints with disabled introspection still leaks underlying API Schema through field suggestion
  • 45. No introspection? Disable field suggestion The problem: Endpoints with disabled introspection still leaks underlying API Schema through field suggestion using open source tool Clairvoyance, anybody can build back the full Schema.
  • 46. Summary about common GraphQL vulnerabilities: 1. Batching and Aliasing Attacks 2. Directive Overloading 3. Recursive Fragments 4. Field suggestion leaking Schema To go further: https:/ /escape.tech/blog/pentest101/
  • 47. Bonus: Sensitive data made public
  • 48. 4,493 potential data leaks found.
  • 49. Sensitive data found in the wild
  • 50. All this, using unauthenticated GET requests
  • 51. Conclusion: ● found and scanned 1500 Public GraphQL endpoints in the wild ● Highlighted numerous vulnerabilities, most frequently GraphQL Specific, but not only ● Access control flaws and secret leaking are *very* frequent in GraphQL
  • 53. GraphQL Security & Monitoring escape.tech ✉ tristan@escape.tech @tristankalos