Biscuit's Bug Bounty Playbook
  • 👋Introduction to Biscuit's Bug Bounty Playbook
  • Mains
    • 🧾Resume For Cyber Security Freshie
    • 📗Browser extension
    • 📀POC Videos YT Channel
    • 📺55 YouTube Channels To Learn Hacking
    • 👀Hackers to Follow on Social Media
      • Twitter
      • Medium
      • YouTube
      • GitHub
      • Discord Server
      • Security GitBooks
    • 🏅Learn The Basics
      • 🎖️Type Of Cyber Security
      • 🥈Common Job Roles
      • 🥉Get Started With InfoSec
      • ⚕️Best Bug Bounty Platform
      • 🗞️Best InfoSec Writeups Website
      • 🍪Hacking Books
      • 🥂CLI Commands
      • 💿Learn WSL
    • 🧑‍💻Fun Programming Codes
    • 🔮Build your own Bug Bounty Methodology
    • 🎴Bug Bounty Checklist
  • Bug Bounty Reports & Articles
    • 0️⃣Index
    • 1️⃣Takeover's (Accounts, Sub-domains, etc)
      • 🚡Sub Domain Takeover
      • 🚠Account Takeover
      • 🚟dependency confusion vulnerability
    • 2️⃣IDOR (Indirect Object Reference)
    • 3️⃣Leaks & Disclosure (PII, API Key, etc)
    • 4️⃣Open Redirects
    • 5️⃣Request Forgery (CSRF & SSRF)
      • 🟢CSRF
      • 🔴SSRF
    • 6️⃣Injections (HTML, XSS, etc)
      • 🟡XSS
      • 🟠HTML Injection
      • 🟣CR/LF Injection
      • 🟢SSTI
    • 7️⃣Broken Access Control & Broken Authentication
      • ⚙️File Upload Functionality
      • ⚙️Password Reset Functionality
      • ⚙️2FA Functionality
      • ⚙️Oauth Functionality
      • ⚙️Bypassing
      • ⚙️Misconfiguration
    • 8️⃣Web Socket
    • 9️⃣Miscellaneous Reports
    • 0️Cloud
      • 🌩️AWS S3
    • 1️Low Hanging Fruits
    • 2️Cache Poising
    • 3️DOS/DDOS
  • Bug Bounty Platforms
    • 🐛BugCrowd
    • 🐞HackerOne
    • 🪲Intigriti
    • 🐜Open Bug Bounty
  • Exploiting Technologies
    • 0️⃣Introduction
    • 1️⃣Wordpress
    • 2️⃣GraphQL API
    • 3️⃣IDOR Vulnerability
    • Learn Android Hacking
Powered by GitBook
On this page
  1. Exploiting Technologies

GraphQL API

PreviousWordpressNextIDOR Vulnerability

Last updated 3 months ago

GraphQL pentesting focuses on identifying security vulnerabilities in applications that use GraphQL for data querying. Unlike REST APIs, GraphQL allows clients to request specific data, which can expose underlying issues if not properly secured. Key areas of concern include improper authorization checks, excessive data exposure, and insufficient input validation. Pentesters should look for flaws such as introspection queries revealing sensitive schema details, or complex queries leading to denial of service. Ensuring robust input validation, implementing strict authorization checks, and limiting query complexity are essential practices to secure GraphQL endpoints.

Articles and Blog Posts

GitHub Repositories and Resources

Cheat Sheets and Guides

Videos

Social Media Posts

Books

2️⃣
  • Articles and Blog Posts
  • GitHub Repositories and Resources
  • Cheat Sheets and Guides
  • Videos
  • Social Media Posts
  • Books
LogoYesWeHack #1 Bug Bounty Platform in EuropeYesWeHack #1 Bug Bounty Platform in Europe
LogoGraphQLHackTricks
LogoFive easy ways to hack GraphQL targets - IntigritiIntigriti
LogoPayloadsAllTheThings/README.md at master · swisskyrepo/PayloadsAllTheThingsGitHub
Logohackerone-reports/tops_by_bug_type/TOPGRAPHQL.md at master · reddelexc/hackerone-reportsGitHub
LogoGitHub - nikitastupin/clairvoyance: Obtain GraphQL API schema despite disabled introspection!GitHub
LogoGitHub - dolevf/graphw00f: graphw00f is GraphQL Server Engine Fingerprinting utility for software security professionals looking to learn more about what technology is behind a given GraphQL endpoint.GitHub
LogoGitHub - swisskyrepo/GraphQLmap: GraphQLmap is a scripting engine to interact with a graphql endpoint for pentesting purposes.GitHub
LogoGitHub - dolevf/Damn-Vulnerable-GraphQL-Application: Damn Vulnerable GraphQL Application is an intentionally vulnerable implementation of Facebook's GraphQL technology, to learn and practice GraphQL Security.GitHub
LogoGraphQL — Common vulnerabilities & how to exploit themMedium
LogoGraphQL Vulnerabilities | Application Security Cheat Sheet
LogoGraphQL API vulnerabilities | Web Security AcademyWebSecAcademy
LogoGraphQL Pentesting for Dummies! Part-1Anugrah SR | #HackLearnDaily
LogoGraphQL Pentesting for Dummies! Part-2Anugrah SR | #HackLearnDaily
LogoBlack Hat GraphQL: Attacking Next Generation APIsAmazon.com