JWT Authentication Bypass

What are JWTs?  JSON web tokens (JWTs) are a standardized format for sending cryptographically signed JSON data between systems. Theoretically, they can contain any kind of data, but are often used to send information about users as part of authentication, session handling, and access control mechanisms. Unlike the classic session tokens, all of the data...

Hacking GraphQL (Pt. 3)

In Part 2 of the Hacking GraphQL series, we discussed the GraphQL DoS attack. In Part 3, we’re going to try to exploit the SQLi vulnerability, included in the OWASP Top Ten Web Application Security Risks. In this blog post, we will use the same setup as Part 1 of the series i.e., GraphQL Security Labs. A...

Hacking GraphQL (Pt. 2)

In part 1 of the Hacking GraphQL series, we discussed about the basics of GraphQL. In part 2 of this series, we’re going to try the DoS attack vector and see how adversaries can leverage them. In this post, we are going to use the same setup as part 1 of the series i.e. GraphQL...

Hacking GraphQL (Pt. 1)

In this blog post, we are going to use a publicly available application that uses a vulnerable GraphQL implementation, developed by . GraphQL is quickly becoming the alternative to REST API, being able to request a specified set of data across multiple resources within a single request. But with great power come great security risks....