Biscuit's Bug Bounty Playbook
  • ๐Ÿ‘‹Introduction to Biscuit's Bug Bounty Playbook
  • Mains
    • ๐ŸงพResume For Cyber Security Freshie
    • ๐Ÿ“—Browser extension For Bug Bounty
    • ๐Ÿ“€POC Videos YT Channel
    • ๐Ÿ“บ55 YouTube Channels To Learn Hacking
    • ๐Ÿ‘€Hackers to Follow on Social Media
      • Twitter
      • Medium
      • YouTube
      • GitHub
      • Discord Server
      • Security GitBooks
    • ๐Ÿ…Learn The Basics
      • ๐ŸŽ–๏ธType Of Cyber Security
      • ๐ŸฅˆCommon Job Roles
      • ๐Ÿฅ‰Get Started With InfoSec
      • โš•๏ธBest Bug Bounty Platform
      • ๐Ÿ—ž๏ธBest InfoSec Writeups Website
      • ๐ŸชHacking Books
      • ๐Ÿฅ‚CLI Commands
      • ๐Ÿ’ฟLearn WSL
    • ๐Ÿ‘ฉโ€๐Ÿ’ปFun Programming Codes
    • ๐Ÿ”ฎBuild your own Bug Bounty Methodology
    • ๐ŸŽดBug Bounty Checklist
  • Learn Android Bug Bounty
    • ๐ŸŽฅVideo Tutorials
  • โค๏ธYouTube Channels
  • ๐Ÿ“ฐBug Bounty Reports
  • ๐Ÿ“šBlogs & Writeups
  • ๐ŸนGitHub Repository
  • ๐Ÿ‘จโ€๐Ÿ‘จโ€๐Ÿ‘งConference Talks
  • ๐Ÿ–จ๏ธAutomated Scanners
  • โš™๏ธIntentionally Vulnerable Apps
  • ๐ŸŽฑLearn Drozer For Android Pentesting
  • ๐Ÿช€Learn Frida For Android Pentesting
  • ๐ŸˆBypassing Security Protections in APKs via Objection and Frida
  • ๐ŸชSecurity Tools For Android Pentesting
  • ๐ŸŽนCLI Commands & Shortcuts
  • Bug Bounty Reports & Articles
    • 0๏ธโƒฃIndex
    • 1๏ธโƒฃTakeover's (Accounts, Sub-domains, etc)
      • ๐ŸšกSub Domain Takeover
      • ๐Ÿš Account Takeover
      • ๐ŸšŸdependency confusion vulnerability
    • 2๏ธโƒฃIDOR (Indirect Object Reference)
    • 3๏ธโƒฃLeaks & Disclosure (PII, API Key, etc)
    • 4๏ธโƒฃOpen Redirects
    • 5๏ธโƒฃRequest Forgery (CSRF & SSRF)
      • ๐ŸŸขCSRF
      • ๐Ÿ”ดSSRF
    • 6๏ธโƒฃInjections (HTML, XSS, etc)
      • ๐ŸŸกXSS
      • ๐ŸŸ HTML Injection
      • โšซSQL Injection
      • ๐ŸŸฃCR/LF Injection
      • ๐ŸŸขSSTI
      • ๐Ÿ”ดHost Header Injection
      • ๐Ÿ”ตCSV Injection
    • 7๏ธโƒฃBroken Access Control & Broken Authentication
      • โš™๏ธFile Upload Functionality
      • โš™๏ธPassword Reset Functionality
      • โš™๏ธ2FA Functionality
      • โš™๏ธOauth Functionality
      • โš™๏ธBypassing
      • โš™๏ธMisconfiguration
      • โš™๏ธCaptcha Bypass
    • 8๏ธโƒฃWeb Socket
    • 9๏ธโƒฃMiscellaneous Reports
    • ๐ŸงปRole Management Issue
    • 0๏ธCloud
      • ๐ŸŒฉ๏ธAWS S3
    • 1๏ธLow Hanging Fruits
    • 2๏ธCache Vulnerabilities
    • 3๏ธDOS/DDOS
  • 4๏ธForced Browsing
  • Bug Bounty Platforms
    • ๐Ÿ›BugCrowd
    • ๐ŸžHackerOne
    • ๐ŸIntigriti
    • ๐ŸœOpen Bug Bounty
  • Exploiting Technologies
    • 0๏ธโƒฃIntroduction
    • 1๏ธโƒฃWordpress
    • 2๏ธโƒฃGraphQL API
    • 3๏ธโƒฃIDOR Vulnerability
Powered by GitBook
On this page
  • Articles and Blog Posts
  • GitHub Repositories and Resources
  • Cheat Sheets and Guides
  • Videos
  • Social Media Posts
  • Books
  1. Exploiting Technologies

GraphQL API

PreviousWordpressNextIDOR Vulnerability

Last updated 8 months ago

GraphQL pentesting focuses on identifying security vulnerabilities in applications that use GraphQL for data querying. Unlike REST APIs, GraphQL allows clients to request specific data, which can expose underlying issues if not properly secured. Key areas of concern include improper authorization checks, excessive data exposure, and insufficient input validation. Pentesters should look for flaws such as introspection queries revealing sensitive schema details, or complex queries leading to denial of service. Ensuring robust input validation, implementing strict authorization checks, and limiting query complexity are essential practices to secure GraphQL endpoints.

Articles and Blog Posts

GitHub Repositories and Resources

Cheat Sheets and Guides

Videos

Social Media Posts

Books

2๏ธโƒฃ
YesWeHack #1 Bug Bounty Platform in EuropeYesWeHack #1 Bug Bounty Platform in Europe
GraphQLHackTricks
Five easy ways to hack GraphQL targets - IntigritiIntigriti
PayloadsAllTheThings/README.md at master ยท swisskyrepo/PayloadsAllTheThingsGitHub
Logo
hackerone-reports/tops_by_bug_type/TOPGRAPHQL.md at master ยท reddelexc/hackerone-reportsGitHub
Logo
Logo
Logo
GitHub - nikitastupin/clairvoyance: Obtain GraphQL API schema despite disabled introspection!GitHub
GitHub - dolevf/graphw00f: graphw00f is GraphQL Server Engine Fingerprinting utility for software security professionals looking to learn more about what technology is behind a given GraphQL endpoint.GitHub
GitHub - swisskyrepo/GraphQLmap: GraphQLmap is a scripting engine to interact with a graphql endpoint for pentesting purposes.GitHub
GitHub - dolevf/Damn-Vulnerable-GraphQL-Application: Damn Vulnerable GraphQL Application is an intentionally vulnerable implementation of Facebook's GraphQL technology, to learn and practice GraphQL Security.GitHub
GraphQLโ€Šโ€”โ€ŠCommon vulnerabilities & how to exploit themMedium
GraphQL Vulnerabilities | Application Security Cheat Sheet
GraphQL API vulnerabilities | Web Security AcademyWebSecAcademy
Logo
GraphQL Pentesting for Dummies! Part-1Anugrah SR | #HackLearnDaily
Logo
GraphQL Pentesting for Dummies! Part-2Anugrah SR | #HackLearnDaily
Logo
Logo
Logo
Logo
Logo
Logo
Logo
Black Hat GraphQL: Attacking Next Generation APIsAmazon.com
Logo
Logo