Last week, I saw some tools and articles about GraphQL batching attacks. I thought it’s a good idea to cover them in my sample application to see if, how and why they work. GraphQL batching attacks To my application, I added a simple code that draws a random 5-digit...
Server-side hacking techniques
Bypassing AWS SNS webhook verification
In this blogpost, Spaceraccoon describes the story of how he was able to forge arbitrary signatures in AWS’s SNS webhook service. Interestingly, there was literally only one S3 bucket that he had to use to perform this attack and it turned out to be a publicly...
Pause-based desync attacks explained
The last video on my channel is about the CL.0 client-side desync attack. I’m not gonna be artificially modest - I think the video is great and I’m sure that had I seen it first, I would have understood the client-side desync much quicker. It’s because from all my...
Funny origin of an Auth bypass in IIS
Orange Tsai focused his attention on the Microsoft IIS server and specifically - the cache. He found 3 bugs: CVE-2022-22025 - Microsoft IIS Hash-Flooding DoS CVE-2022-22040 - Microsoft IIS Cache Poisoning Attack CVE-2022-30209 - Microsoft IIS Authentication Bypass The...
Learning GraphQL #4 – REST API as a data source and path traversals in docs
This episode of the learning GraphQL series is getting spicy! It’s because I’m implementing the REST API as a data source and turned out that by following the official documentation, I introduced a path traversal to my application! In case you are new, this is a...
Hacking APIs
Corey Ball shared some slides from his workshop about hacking APIs. It can help you organise your knowledge about APIs. He also shows some neat tricks like transforming mitmproxy requests into the Swagger specifications format to feed them to Postman. If that’s your...
Real-world cache poisoning examples
I must admit that I don’t test or think about cache poisoning bugs. And I probably should. If you are like me, then join me in reading this article about some real-world cases of cache poisoning bugs....
Why are there so many HTTP request smuggling false-positives?
I get a lot of questions about request smuggling false-positives. So I’m that much happier to see that PinkDraconian made a video specifically about this problem so I can redirect people there. So, if you’ve ever had this false-positive or you are curious what is the...
Learning GraphQL #3 – subscriptions
Welcome to another lesson of the Learning GraphQL course! It’s a series where I develop an application with GraphQL so that you and I understand it better. I also point out anything that stands out to me from the security standpoint - unclear docs, recommendations or...
Learning GraphQL #2 – mutations
In the last lesson from this course, we covered basic queries, arguments, aliases, fragments and variables. In the meantime, I also started creating my own server that relies on GraphQL. So far, it’s pretty much a hello world example but over this course, I will...