idsecconf, profile picture
Uploaded byidsecconf
PDF, PPTX329 views

IDSECCONF2024 - Rifqi Hilmy Zhafrant - Hunting and Exploiting GraphQL Vulnerability for Phun and Profit.pdf

Dokumen ini membahas tentang kerentanan GraphQL dan eksploitasi melalui serangan traversal dalam konteks pengujian penetrasi. Pembicara, Rifqi Hilmy Zhafrant, menjelaskan konsep dasar GraphQL serta metodologi serangan yang mencakup introspeksi skema dan identifikasi rute ke bidang target. Studi kasus dari aplikasi dummy dan penggunaan skenario dunia nyata juga disajikan untuk mengilustrasikan cara kerja serangan tersebut.

Embed presentation

Download as PDF, PPTX
Hunting and Exploiting GraphQL Vulnerability for Phun and Profit by SecLab Indonesia IDSECCONF 2024
whoami Rifqi Hilmy Zhafrant Penetration Tester @seclab.id Bug Bounty Hunter (@hackerone) Student of brawijaya university First Timer at IDSECCONF
GraphQL Concepts Case Studies Attack on dummy and real world application. Agenda Schema Definition and schema introspection. The Traversal Attack Attack methodology. Summary Recap the session.
GraphQL Concepts
GraphQL
Defining Type ScalarType (ID, Int, Float String, Boolean) ObjectType EnumType
used to manipulate (create, update, delete) data. used to read data. GraphQL Mutation GraphQL Query Root Operation
Resolver Query Resolver
Query Client-Side Usage Mutation
The Metadata Fields
Introspection Query
Introspection Query
GraphQL Voyager Source: https://graphql-kit.com/graphql-voyager/
The Traversal Attack (I prefer “Object Chaining” Attack)
Traversal Attack?
Attack Flow Introspect the Schema Identify and Find Route to Target Fields Construct and Execute Query
Case Studies
The Dummy Application
The Dummy Application
The Dummy Application
Attack - Introspect the Schema
Attack - Introspect the Schema
Target Attack - Identify and Find Route to Target Fields
Attack - Identify and Find Route to Target Fields
Attack - Identify and Find Route to Target Fields
Attack - Identify and Find Route to Target Fields
Attack - Identify and Find Route to Target Fields
Attack - Identify and Find Route to Target Fields
Attack - Identify and Find Route to Target Fields
Attack - Construct and Execute Query (Demo)
Attack - Construct and Execute Query
Target: OrganizationObject Real World Scenario
Real Case PoC Exploitation Query
Summary
GraphQL Concepts (Schema definition, schema introspection) Traversal Attack (Methodology and attack flow) Case Studies (Implementation)
Thank You Rifqi Hilmy Zhafrant

More Related Content

PDF
IDSECCONF2025 - Ali - DursGo–Web Security Scanner with AI Analysis.pdf
byidsecconf
 
PDF
IDSECCONF2025 - Obrina Briliyant, Hendra Rudiansyah - Network Packet Security...
byidsecconf
 
PDF
IDSECCONF2025 - Budi Rahardjo - Cyber Security and AI.pdf
byidsecconf
 
PDF
IDSECCONF2025 - Faisal Ilham - Semi Automating Vulnerability Scanner and Expl...
byidsecconf
 
PDF
IDSECCONF2025 - Baskoro Adi Pratomo - Game untuk Pembelajaran Keamanan Siber.pdf
byidsecconf
 
PDF
IDSECCONF2025 - Aan Wahyu - Maze–Malware Analysis Platform.pdf
byidsecconf
 
PDF
IDSECCONF2025 - Nosa Shandy - Discovering and Disclosing Privacy Vulnerabilit...
byidsecconf
 
PDF
IDSECCONF2025 - Rama Tri Nanda - Hunting Stingray GSM on Budget.pdf
byidsecconf
 
IDSECCONF2025 - Ali - DursGo–Web Security Scanner with AI Analysis.pdf
byidsecconf
 
IDSECCONF2025 - Obrina Briliyant, Hendra Rudiansyah - Network Packet Security...
byidsecconf
 
IDSECCONF2025 - Budi Rahardjo - Cyber Security and AI.pdf
byidsecconf
 
IDSECCONF2025 - Faisal Ilham - Semi Automating Vulnerability Scanner and Expl...
byidsecconf
 
IDSECCONF2025 - Baskoro Adi Pratomo - Game untuk Pembelajaran Keamanan Siber.pdf
byidsecconf
 
IDSECCONF2025 - Aan Wahyu - Maze–Malware Analysis Platform.pdf
byidsecconf
 
IDSECCONF2025 - Nosa Shandy - Discovering and Disclosing Privacy Vulnerabilit...
byidsecconf
 
IDSECCONF2025 - Rama Tri Nanda - Hunting Stingray GSM on Budget.pdf
byidsecconf
 

More from idsecconf

PDF
IDSECCONF2024 Capture The FLag Write up - 3 MAS MAS
byidsecconf
 
PDF
IDSECCONF2024 - Arief Karfianto - AI-Enhanced Security Analysis in Requiremen...
byidsecconf
 
PDF
IDSECCONF2024 - Ryan Fabella, Daniel Dhaniswara - Keamanan Siber Pada Kendara...
byidsecconf
 
PDF
IDSECCONF2024 - Angela Oryza - ITS Nabu-Platform Pelatihan Keamanan Siber den...
byidsecconf
 
PDF
IDSECCONF2024 - Rama Tri Nanda - MQTT hacking, RCE in Smart Router.pdf
byidsecconf
 
PDF
IDSECCONF2024 - Muhammad Dwison - The Implementation Of One Pixel Attack To S...
byidsecconf
 
PDF
IDSECCONF2024 - Kang Ali - Local LLM can Simulate Apt Malware With Jailbreak ...
byidsecconf
 
PDF
IDSECCONF2024 - Brian Nasywa - Comparison of Quantum Key Distribution Protoco...
byidsecconf
 
PDF
idsecconf2023 - Mochammad Riyan Firmansyah - Takeover Cloud Managed Router vi...
byidsecconf
 
PDF
idsecconf2023 - Neil Armstrong - Leveraging IaC for Stealthy Infrastructure A...
byidsecconf
 
PDF
idsecconf2023 - Mangatas Tondang, Wahyu Nuryanto - Penerapan Model Detection ...
byidsecconf
 
PDF
idsecconf2023 - Rama Tri Nanda - Hacking Smart Doorbell.pdf
byidsecconf
 
PDF
idsecconf2023 - Akshantula Neha, Mohammad Febri Ramadlan - Cyber Harmony Auto...
byidsecconf
 
PDF
idsecconf2023 - Aan Wahyu - Hide n seek with android app protections and beat...
byidsecconf
 
PDF
idsecconf2023 - Satria Ady Pradana - Launch into the Stratus-phere Adversary ...
byidsecconf
 
PDF
Ali - The Journey-Hack Electron App Desktop (MacOS).pdf
byidsecconf
 
PDF
Muh. Fani Akbar - Infiltrate Into Your AWS Cloud Environment Through Public E...
byidsecconf
 
PDF
Rama Tri Nanda - NFC Hacking Hacking NFC Reverse Power Supply Padlock.pdf
byidsecconf
 
PDF
Arief Karfianto - Proposed Security Model for Protecting Patients Data in Ele...
byidsecconf
 
PDF
Nosa Shandy - Clickjacking That Worthy-Google Bug Hunting Story.pdf
byidsecconf
 
IDSECCONF2024 Capture The FLag Write up - 3 MAS MAS
byidsecconf
 
IDSECCONF2024 - Arief Karfianto - AI-Enhanced Security Analysis in Requiremen...
byidsecconf
 
IDSECCONF2024 - Ryan Fabella, Daniel Dhaniswara - Keamanan Siber Pada Kendara...
byidsecconf
 
IDSECCONF2024 - Angela Oryza - ITS Nabu-Platform Pelatihan Keamanan Siber den...
byidsecconf
 
IDSECCONF2024 - Rama Tri Nanda - MQTT hacking, RCE in Smart Router.pdf
byidsecconf
 
IDSECCONF2024 - Muhammad Dwison - The Implementation Of One Pixel Attack To S...
byidsecconf
 
IDSECCONF2024 - Kang Ali - Local LLM can Simulate Apt Malware With Jailbreak ...
byidsecconf
 
IDSECCONF2024 - Brian Nasywa - Comparison of Quantum Key Distribution Protoco...
byidsecconf
 
idsecconf2023 - Mochammad Riyan Firmansyah - Takeover Cloud Managed Router vi...
byidsecconf
 
idsecconf2023 - Neil Armstrong - Leveraging IaC for Stealthy Infrastructure A...
byidsecconf
 
idsecconf2023 - Mangatas Tondang, Wahyu Nuryanto - Penerapan Model Detection ...
byidsecconf
 
idsecconf2023 - Rama Tri Nanda - Hacking Smart Doorbell.pdf
byidsecconf
 
idsecconf2023 - Akshantula Neha, Mohammad Febri Ramadlan - Cyber Harmony Auto...
byidsecconf
 
idsecconf2023 - Aan Wahyu - Hide n seek with android app protections and beat...
byidsecconf
 
idsecconf2023 - Satria Ady Pradana - Launch into the Stratus-phere Adversary ...
byidsecconf
 
Ali - The Journey-Hack Electron App Desktop (MacOS).pdf
byidsecconf
 
Muh. Fani Akbar - Infiltrate Into Your AWS Cloud Environment Through Public E...
byidsecconf
 
Rama Tri Nanda - NFC Hacking Hacking NFC Reverse Power Supply Padlock.pdf
byidsecconf
 
Arief Karfianto - Proposed Security Model for Protecting Patients Data in Ele...
byidsecconf
 
Nosa Shandy - Clickjacking That Worthy-Google Bug Hunting Story.pdf
byidsecconf
 

IDSECCONF2024 - Rifqi Hilmy Zhafrant - Hunting and Exploiting GraphQL Vulnerability for Phun and Profit.pdf