Since the first time I studied JWT, I found it one of the most intriguing topics to discuss about web application security, and there are good reasons for this. Introduced in 2010, JSON Web Tokens (JWTs) only started gaining mainstream traction after 2018, marking them as a relatively modern technological advancement. Because it is new,...
What are JWTs? JSON web tokens (JWTs) are a standardized format for sending cryptographically signed JSON data between systems. Theoretically, they can contain any kind of data, but are often used to send information about users as part of authentication, session handling, and access control mechanisms. Unlike the classic session tokens, all of the data...
In Part 2 of the Hacking GraphQL series, we discussed the GraphQL DoS attack. In Part 3, we’re going to try to exploit the SQLi vulnerability, included in the OWASP Top Ten Web Application Security Risks. In this blog post, we will use the same setup as Part 1 of the series i.e., GraphQL Security Labs. A...
In part 1 of the Hacking GraphQL series, we discussed about the basics of GraphQL. In part 2 of this series, we’re going to try the DoS attack vector and see how adversaries can leverage them. In this post, we are going to use the same setup as part 1 of the series i.e. GraphQL...
In this blog post, we are going to use a publicly available application that uses a vulnerable GraphQL implementation, developed by GraphQL is quickly becoming the alternative to REST API, being able to request a specified set of data across multiple resources within a single request. But with great power come great security risks. A...
