Github GraphQL Data Exposure

•

0 gostou•97 visualizações

Shahriar Yazdipour

Github Data Exposure and Accessing Blocked Data using GraphQL Security Design Flaw

Engenharia

AGENDA
• BACKGROUND STORY
• WHAT IS GRAPHQL
• RESEARCH PROCESS
• CONCLUSION
2

RESTRICTIONS IN IRAN
3
• GOV loves to make everything difficult
• US also loves to make things harder

BLOCKED BY IRAN GOVERNMENT
4
Facebook
YouTube
Twitter
Reddit
Telegram
Viber
Tumblr
Spotify
SoundCloud
Netflix
Flickr
WordPress
BBC
Voice of America
Al-Arabiya
Fox News
CBS News
Haaretz
Times of India
The Daily Mail
…
More than 300 site ofTop 500
https://gist.github.com/alibo/dfd7c258bcc44a0e8c9f7c5bfd3bd2c3

BLOCKED BY COMPANIES
5
Github
Gitlab
Google Cloud (KhanAcademy,…)
Google/Android Developers
Redhat Repositry
DockerHub
MySQL
Unreal Engine
Intel Download Center
Udemy/Pluralsight
eBay
TeamViewer
MongoDB
Upwork
Avast
GNU Repositories
…
https://gist.github.com/alibo/dfd7c258bcc44a0e8c9f7c5bfd3bd2c3

US TRADE LAW
• July 2019
• Restriction on
creating new
repository
• No Access to
previously created
repositories
Ref. https://techcrunch.com/2019/07/29/github-ban-sanctioned-countries/

FAST FORWARD
• November 2019
• GitHub Launches on
Mobile with iOS
Application
• Only Available for
Beta Testers
Ref https://winbuzzer.com/2019/11/14/github-launches-on-mobile-with-ios-application-xcxwbn/

NEW GITHUB APP
 Get it from Apple TestFlight
 First Publicly AvailableVersion -
Build 45
 Today – Build 81
 Very Basic Features
 Possible to see my blocked
repository 🎉🎉🎉
9

PROXY
11https://www.jorgealdana.pro/blog/seguridad/burp-proxy-aplicacion-de-seguridad-para-desarrolladores-de-android/

GRAPHQL
13
is a new API standard that provides a more
efficient, powerful and flexible alternative to
REST services.
It was developed and open-sourced by Facebook
and is now maintained by a large community of
companies and individuals from all over the
world.
http://graphql.org/

14https://blog.apollographql.com/how-do-i-graphql-2fcabfc94a01

GRAPHQL QUERIES
15
https://graphql.org/learn/queries/

GRAPHQL QUERIES
16
https://graphql.org/learn/queries/

17
https://nordicapis.com/10-graphql-consoles-in-action/

ANALYSIS TRAFFIC – BINARY DATA
22
• file() Method is not mentioned in Github GraphQL Documentation
• Does not work with DeveloperToken!

CAN IT BE GENERALIZED?
MAKE A TOOL OUT OF IT?!
24

FAKE
AUTH
25
• We have the "client_id" and "code“ by sniffing
authentication process.
• Easily get the client_secret

CONCLUSION
Access Repository Information
Access Repository Directory
Access Repository Files
• Reported to Github SecurityTeam
• Category: api.github.com
• Severity: Low
• Weakness: Improper Access Control CWE-284
27

REFERENCE
28
• Github Documentations
• Burp-suite Documentations
• Facebook GraphQl Documentations
• Graphql Octokit Documentation
• OWASP Security Handbook

THANKYOU.
29
ShahriarYazdipour
github.com/yazdipour/presentations

Mais conteúdo relacionado

Semelhante a Github GraphQL Data Exposure

curl - a hobby project that conquered the world

Daniel Stenberg

My Trip to Google I/O 2013

David Wu

5G and 100 years

GLK

Abstract:- Come learn about Google BigQuery and its underlying architecture. Felipe will go over the evolution of BigQuery and explain some of the underlying principles of BigQuery and Dremel. Felipe will also go over some of the latest use cases and will demo a use case of Google BigQuery Bio:- Felipe Hoffa moved from Chile to San Francisco to join Google as a Software Engineer. Since 2013 he's been a Developer Advocate on big data - to inspire developers around the world to leverage the Google Cloud Platform tools to analyze and understand their data in ways they could never before. You can find him in several YouTube videos, blog posts, and conferences around the world. Follow Felipe at https://twitter.com/felipehoffa.

An indepth look at Google BigQuery Architecture by Felipe Hoffa of Google

Data Con LA

Big Data in IoT & Deep Learning Challenges of IoT Big Data Analytics Applications Challenges of Cloud-based IoT Platform Cloud-based IoT Platform Use Case: GE Predix for Smart Building Energy Management Fog/Edge Computing & Micro Data Centers Deep Learning for IoT Big Data Analytics Introduction Deep Learning for IoT Big Data Analytics Use Case Distributed Deep Learning Big Data + IoT + Cloud + Deep Learning Insights from Patents Big Data + IoT + Cloud + Deep Learning Strategy Development Designing Data-Intensive Applications Xanadu Functionality Xanadu Use Case Xanadu + Deep Learning + Hadoop Integration

Xanadu for Big Data + IoT + Deep Learning + Cloud Integration Strategy (YouTu...

Alex G. Lee, Ph.D. Esq. CLP

20150423 Android Taipei : 祖克伯F8的奇幻之旅

PRADA Hsiung

L&D : Looking to the future

Mike Collins

2022 APIsecure_Securing API Tokens on Github

APIsecure_ Official

Mobile DevOps pipeline using Google Flutter

Ahmed Abu Eldahab

APIs in production - we built it, can we fix it?

Martin Gutenbrunner

Drools and jBPM 6 Overview

Mark Proctor

From Java Monoliths to K8s

VMware Tanzu

From Monolith to K8s - Spring One 2020

Mauricio (Salaboy) Salatino

Google deployment manager

Luillyfe Blanco

Android Things Latest News / Aug 25, 2017

Masahiro Hidaka

Wi-Fi Hotspot Attacks

Greg Foss

Immersed in the Web

Luis Diego González-Zúñiga, PhD

You want to implement an Internet of Things (IoT) solution and would like to know if it should be implemented in the cloud or on-premises. You are interested in the cloud offerings of vendors and what benefits they provide and if a similar solution would not be possible on-premises. This presentation deals with this and other questions. Starting from an vendor-independent reference architecture and corresponding design patterns, different cloud solutions from various vendors are compared and rated. Additionally it will be shown how such solution could be implemented on-premises and how a hybrid IoT solution could look like.

Internet of Things (IoT) - in the cloud or rather on-premises?

Guido Schmutz

Iot cloud-or-onprem-170709204236

Aravindharamanan S

Critical Breakthroughs and Challenges in Big Data and Analytics

Data Driven Innovation

Semelhante a Github GraphQL Data Exposure (20)

curl - a hobby project that conquered the world

My Trip to Google I/O 2013

5G and 100 years

An indepth look at Google BigQuery Architecture by Felipe Hoffa of Google

Xanadu for Big Data + IoT + Deep Learning + Cloud Integration Strategy (YouTu...

20150423 Android Taipei : 祖克伯F8的奇幻之旅

L&D : Looking to the future

2022 APIsecure_Securing API Tokens on Github

Mobile DevOps pipeline using Google Flutter

APIs in production - we built it, can we fix it?

Drools and jBPM 6 Overview

From Java Monoliths to K8s

From Monolith to K8s - Spring One 2020

Google deployment manager

Android Things Latest News / Aug 25, 2017

Wi-Fi Hotspot Attacks

Immersed in the Web

Internet of Things (IoT) - in the cloud or rather on-premises?

Iot cloud-or-onprem-170709204236

Critical Breakthroughs and Challenges in Big Data and Analytics

Último

Welcome to the April edition of WIPAC Monthly, the magazine brought to you by Water Industry Process Automation & Control. In this month's edition, along with the latest news from the industry we have articles on: The use of artificial intelligence and self-service platforms to improve water sustainability A feature article on measuring wastewater spills An article on the National Underground Asset Register Have a good month, Oliver

Water Industry Process Automation & Control Monthly - April 2024

Water Industry Process Automation & Control

Unit 2- Effective stress & Permeability.pdf

RagavanV2

VIP Call Girls Palanpur 7001035870 Whatsapp Number, 24/07 Booking Escorts Service Available Whatsapp SABANA ☎️ : [+91-7001035870] Escorts Service are always ready to make their clients happy. Their exotic looks and sexy personalities are sure to turn heads. You can enjoy with them, including massages and erotic encounters. Our area Escorts are young and sexy, so you can expect to have an exotic time with them. They are trained to satiate your naughty nerves and they can handle anything that you want. They are also intelligent, so they know how to make you feel comfortable and relaxed Independent Escorts Service They know all the sex positions and can satisfy you in any way that you desire. They can even give you erotic massages to help you relax before your session. This is essential, because a man who is stressed won’t be receptive to the pleasures of sex. They also know how to play with your sexy organs, so you’ll have plenty of foreplay and cuddling. P252024SS SERVICE ✅ ❣️ ⭐➡️HOT & SEXY MODELS // COLLEGE GIRLS HOUSE WIFE RUSSIAN , AIR HOSTES ,VIP MODELS . AVAILABLE FOR COMPLETE ENJOYMENT WITH HIGH PROFILE INDIAN MODEL AVAILABLE HOTEL & HOME ★ SAFE AND SECURE HIGH CLASS SERVICE AFFORDABLE RATE ★ SATISFACTION,UNLIMITED ENJOYMENT. ★ All Meetings are confidential and no information is provided to any one at any cost. ★ EXCLUSIVE PROFILes Are Safe and Consensual with Most Limits Respected ★ Service Available In: - HOME & HOTEL Star Hotel Service .In Call & Out call SeRvIcEs : ★ A-Level (star escort) ★ Strip-tease ★ BBBJ (Bareback Blowjob)Receive advanced sexual techniques in different mode make their life more pleasurable. ★ Spending time in hotel rooms ★ BJ (Blowjob Without a Condom) ★ Completion (Oral to completion) ★ Covered (Covered blowjob Without condom ★ANAL SERVICES.

VIP Call Girls Palanpur 7001035870 Whatsapp Number, 24/07 Booking

dharasingh5698

ONLINE FOOD ORDER SYSTEM is a website designed primarily for use in the food delivery industry. This system will allow hotels and restaurants to increase scope of business by reducing the labor cost involved. The system also allows to quickly and easily manage an online menu which customers can browse and use to place orders with just few clicks. Restaurant employees then use these orders through an easy to navigate graphical interface for efficient processing.

ONLINE FOOD ORDER SYSTEM PROJECT REPORT.pdf

Kamal Acharya

NFPA 5000 2024 standard .

DerechoLaboralIndivi

Call Girls In Bangalore ☎ 7737669865 🥵 Book Your One night Stand Booking Contact Details :- WhatsApp Chat :- +91-7737669865 Call Girls In Model Towh +91-7737669865 !! Best Woman Seeking Man Call Girls Service, Escorts Service in Home Hotel in NCR 24 Hours Available Service Call Girls, Contact Us +91-7737669865 (Any Time. Any Where) Call Girls in , Noida, Gurgaon, Ghaziabad,Sexy Indian Female Escorts Service NCRWelcome To Escorts Service – An All Over New Very Sexy Hot Call Girls Agency Service Escorts In South NCR’s No. 1 High Profile Independent Female Escorts Service. We Provide Good Quality Educated Profile At #K09 Very Regnebal Price 100% Safe And Original.We Are Provide Escorts Service All OYO Hotels ,3*,4*,5* Star Hotel And Home Flat, Apartment. Guest-House. Services In -Call And Out – Call Both Are Services Available. 24Hrs. Any Time Any Where. In All Over Noida Gurgaon Ghaziabad Faridabad.More Information And Contact Profile Real Pic Visit Our Website City Wise Escorts Service Agency.Good Looking Cheap And Best Models Girls U Can Get Best Click On Link……Night Call Girls Now In Hotel Le Meridien Gurgaon Near Female Escort One Shot — 5000/in call (time 1 hour), 6000/out call Two shot with one girl — 8000/in call (time 2 hour), 10000/out call Body to body massage with sex- 8000/in call (time 1 hour) Full night Service for one person– 12000/in call, 13000/out call (shot limit 3-4 shots) Full night Service for more than 1 person — please contact Us —7737669865 We are available 24*7 all days of the year. Call us — 7737669865 Thank you for Visiting.

Call Girls In Bangalore ☎ 7737669865 🥵 Book Your One night Stand

amitlee9823

Call Girls Wakad Call Me 7737669865 Budget Friendly No Advance Booking Booking Now open +91- 7737669865 Why you Choose Us- +91- 7737669865 HOT⇄ 7737669865 Mr ashu ji Call Mr ashu Ji +91- 7737669865 (V020524]N) 𝐇𝐨𝐭𝐞𝐥 𝐑𝐨𝐨𝐦𝐬 𝐈𝐧𝐜𝐥𝐮𝐝𝐢𝐧𝐠 𝐑𝐚𝐭𝐞 𝐒𝐡𝐨𝐭𝐬/𝐇𝐨𝐮𝐫𝐲🆓 .█▬█⓿▀█▀ 𝐈𝐍𝐃𝐄𝐏𝐄𝐍𝐃𝐄𝐍𝐓 𝐆𝐈𝐑𝐋 𝐕𝐈𝐏 𝐄𝐒𝐂𝐎𝐑𝐓 Hello Guys ! High Profiles young Beauties and Good Looking standard Profiles Available , Enquire Now if you are interested in Hifi Service and want to get connect with someone who can understand your needs. Service offers you the most beautiful High Profile sexy independent female Escorts in genuine ✔✔✔ To enjoy with hot and sexy girls ✔✔✔ ★providing:- • Models • vip Models • Russian Models

Call Girls Wakad Call Me 7737669865 Budget Friendly No Advance Booking

roncy bisnoi

Rule 1 − Check for the blocks connected in series and simplify. Rule 2 − Check for the blocks connected in parallel and simplify. Rule 3 − Check for the blocks connected in feedback loop and simplify. Rule 4 − If there is difficulty with take-off point while simplifying, shift it towards right. Rule 5 − If there is difficulty with summing point while simplifying, shift it towards left. Rule 6 − Repeat the above steps till you get the simplified form, i.e., single block.

Block diagram reduction techniques in control systems.ppt

NANDHAKUMARA10

Double Revolving field theory-how the rotor develops torque

BhangaleSonal

Call Girl Aurangabad Indira Call Now: 8617697112 Aurangabad Escorts Booking Contact Details WhatsApp Chat: +91-8617697112 Aurangabad Escort Service includes providing maximum physical satisfaction to their clients as well as engaging conversation that keeps your time enjoyable and entertaining. Plus they look fabulously elegant; making an impressionable. Independent Escorts Aurangabad understands the value of confidentiality and discretion - they will go the extra mile to meet your needs. Simply contact them via text messaging or through their online profiles; they'd be more than delighted to accommodate any request or arrange a romantic date or fun-filled night together. We provide –

(INDIRA) Call Girl Aurangabad Call Now 8617697112 Aurangabad Escorts 24x7

Call Girls in Nagpur High Profile Call Girls

Generative AI or GenAI technology based PPT

bhaskargani46

Call girls in delhi ✔️✔️🔝 9953056974 🔝✔️✔️Welcome To Vip Escort Services In Delhi [ ]Noida Gurgaon 24/7 Open Sex Escort Services With Happy Ending ServiCe Done By Most Attractive Charming Soft Spoken Bold Beautiful Full Cooperative Independent Escort Girls ServiCe In All-Star Hotel And Home Service In All Over Delhi, Noida, Gurgaon, Faridabad, Ghaziabad, Greater Noida, • IN CALL AND OUT CALL SERVICE IN DELHI NCR • 3* 5* 7* HOTELS SERVICE IN DELHI NCR • 24 HOURS AVAILABLE IN DELHI NCR • INDIAN, RUSSIAN, PUNJABI, KASHMIRI ESCORTS • REAL MODELS, COLLEGE GIRLS, HOUSE WIFE, ALSO AVAILABLE • SHORT TIME AND FULL TIME SERVICE AVAILABLE • HYGIENIC FULL AC NEAT AND CLEAN ROOMS AVAIL. IN HOTEL 24 HOURS • DAILY NEW ESCORTS STAFF AVAILABLE • MINIMUM TO MAXIMUM RANGE AVAILABLE. Call Girls in Delhi & Independent Escort Service – CALL GIRLS SERVICE DELHI NCR Vip call girls in Delhi Call Girls in Delhi, Call Girl Service 24×7 open Call Girls in Delhi Best Delhi Escorts in Delhi Low Rate Call Girls In Saket Delhi X~CALL GIRLS IN Ramesh Nagar Metro best Delhi call girls and Delhi escort service. CALL GIRLS SERVICE IN ALL DELHI … (Delhi) Call Girls in (Chanakyapuri) Hot And Sexy Independent Model Escort Service In Delhi Unlimited Enjoy Genuine 100% Profiles And Trusted Door Step Call Girls Feel Free To Call Us Female Service Hot Busty & Sexy Party Girls Available For Complete Enjoyment. We Guarantee Full Satisfaction & In Case Of Any Unhappy Experience, We Would Refund Your Fees, Without Any Questions Asked. Feel Free To Call Us Female Service Provider Hours Opens Thanks. Delhi Escorts Services 100% secure Services.Incall_OutCall Available and outcall Services provide. We are available 24*7 for Full Night and short Time Escort Services all over Delhi NCR. Delhi All Hotel Services available 3* 4* 5* Call Call Delhi Escorts Services And Delhi Call Girl Agency 100% secure Services in my agency. Incall and outcall Services provide. We are available 24*7 for Full Night and short Time Escort Services my agency in all over New Delhi Delhi All Hotel Services available my agency SERVICES [✓✓✓] Housewife College Girl VIP Escort Independent Girl Aunty Without a Condom sucking )? Sexy Aunty.DSL (Dick Sucking Lips)? DT (Dining at the Toes English Spanking) Doggie (Sex style from no behind)?? OutCall- All Over Delhi Noida Gurgaon 24/7 FOR APPOINTMENT Call/Whatsop / 9953056974

Call Girls in Ramesh Nagar Delhi 💯 Call Us 🔝9953056974 🔝 Escort Service

9953056974 Low Rate Call Girls In Saket, Delhi NCR

GAS POWER CYCLES Cycles: Otto, Diesel, Dual, Brayton - Calculation of mean effective pressure - Air standard efficiency - Comparison of cycles INTERNAL COMBUSTION ENGINES Classification - Components and their function - valve timing diagram and port timing diagram - actual and theoretical p-v diagram of two stroke and four stroke engines – carburettor - diesel pump and injector system - battery and magneto ignition system - principles of combustion and detonation in CI engines - lubrication and cooling systems - performance parameters and calculations.

Thermal Engineering Unit - I & II . ppt

DineshKumar4165

XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

ssuser89054b

Cara Menggugurkan Sperma Yang Masuk Rahim Biyar Tidak Hamil

Cara Menggugurkan Kandungan 087776558899

Unit 1 - Soil Classification and Compaction.pdf

RagavanV2

From customer value engagements to hands-on production support, our Services span across every stage of our customers digital transformation journey, to help ensure that every customer is successful in their adoption of our solutions. • Implementation, Upgrade, Migration, and Maintenance Services • On-Premises and On-Cloud • COTS Training Services; On-Site and Virtual • Software Support Services; Legacy and 3DEXPERIENCE • Value Engagement & Blueprinting • Specialized Consulting and Support Services • Customized Training Services • Automation and Configuration Services • Technical Resource Augmentation Services • Project Management • Know-how Training (mentoring) and Resource Augmentation

Navigating Complexity: The Role of Trusted Partners and VIAS3D in Dassault Sy...

Arindam Chakraborty, Ph.D., P.E. (CA, TX)

Call Girls Pimpri Chinchwad Call Me 7737669865 Budget Friendly No Advance Booking Booking Now open +91- 7737669865 Why you Choose Us- +91- 7737669865 HOT⇄ 7737669865 Mr ashu ji Call Mr ashu Ji +91- 7737669865 (V020524]N) 𝐇𝐨𝐭𝐞𝐥 𝐑𝐨𝐨𝐦𝐬 𝐈𝐧𝐜𝐥𝐮𝐝𝐢𝐧𝐠 𝐑𝐚𝐭𝐞 𝐒𝐡𝐨𝐭𝐬/𝐇𝐨𝐮𝐫𝐲🆓 .█▬█⓿▀█▀ 𝐈𝐍𝐃𝐄𝐏𝐄𝐍𝐃𝐄𝐍𝐓 𝐆𝐈𝐑𝐋 𝐕𝐈𝐏 𝐄𝐒𝐂𝐎𝐑𝐓 Hello Guys ! High Profiles young Beauties and Good Looking standard Profiles Available , Enquire Now if you are interested in Hifi Service and want to get connect with someone who can understand your needs. Service offers you the most beautiful High Profile sexy independent female Escorts in genuine ✔✔✔ To enjoy with hot and sexy girls ✔✔✔ ★providing:- • Models • vip Models • Russian Models

Call Girls Pimpri Chinchwad Call Me 7737669865 Budget Friendly No Advance Boo...

roncy bisnoi

Booking open Available Pune Call Girls Pargaon 6297143586 Call Hot Indian Girls Waiting For You To Fuck Booking Contact Details WhatsApp Chat: +91-6297143586 pune Escort Service includes providing maximum physical satisfaction to their clients as well as engaging conversation that keeps your time enjoyable and entertaining. Plus they look fabulously elegant; making an impressionable. Independent Escorts pune understands the value of confidentiality and discretion - they will go the extra mile to meet your needs. Simply contact them via text messaging or through their online profiles; they'd be more than delighted to accommodate any request or arrange a romantic date or fun-filled night together. We provide - 01-may-2024(v.n)

Booking open Available Pune Call Girls Pargaon 6297143586 Call Hot Indian Gi...

Call Girls in Nagpur High Profile

Intze Overhead Water Tank Design by Working Stress - IS Method.pdf

Er. Suman Jyoti

Github GraphQL Data Exposure

1. GITHUB DATA EXPOSURE AND ACCESSING BLOCKED DATA USING GRAPHQL SECURITY DESIGN FLAW  Research by ShahriarYazdipour  CCSE CONFERENCE 2020  Technische Universität Ilmenau  Feb 2020 1

2. AGENDA • BACKGROUND STORY • WHAT IS GRAPHQL • RESEARCH PROCESS • CONCLUSION 2

3. RESTRICTIONS IN IRAN 3 • GOV loves to make everything difficult • US also loves to make things harder

4. BLOCKED BY IRAN GOVERNMENT 4 Facebook YouTube Twitter Reddit Telegram Viber Tumblr Spotify SoundCloud Netflix Flickr WordPress BBC Voice of America Al-Arabiya Fox News CBS News Haaretz Times of India The Daily Mail … More than 300 site ofTop 500 https://gist.github.com/alibo/dfd7c258bcc44a0e8c9f7c5bfd3bd2c3

5. BLOCKED BY COMPANIES 5 Github Gitlab Google Cloud (KhanAcademy,…) Google/Android Developers Redhat Repositry DockerHub MySQL Unreal Engine Intel Download Center Udemy/Pluralsight eBay TeamViewer MongoDB Upwork Avast GNU Repositories … https://gist.github.com/alibo/dfd7c258bcc44a0e8c9f7c5bfd3bd2c3

6. 6

7. US TRADE LAW • July 2019 • Restriction on creating new repository • No Access to previously created repositories Ref. https://techcrunch.com/2019/07/29/github-ban-sanctioned-countries/

8. FAST FORWARD • November 2019 • GitHub Launches on Mobile with iOS Application • Only Available for Beta Testers Ref https://winbuzzer.com/2019/11/14/github-launches-on-mobile-with-ios-application-xcxwbn/

9. NEW GITHUB APP  Get it from Apple TestFlight  First Publicly AvailableVersion - Build 45  Today – Build 81  Very Basic Features  Possible to see my blocked repository 🎉🎉🎉 9

10. 10

11. PROXY 11https://www.jorgealdana.pro/blog/seguridad/burp-proxy-aplicacion-de-seguridad-para-desarrolladores-de-android/

12. 12 PROCESS

13. GRAPHQL 13 is a new API standard that provides a more efficient, powerful and flexible alternative to REST services. It was developed and open-sourced by Facebook and is now maintained by a large community of companies and individuals from all over the world. http://graphql.org/

14. 14https://blog.apollographql.com/how-do-i-graphql-2fcabfc94a01

15. GRAPHQL QUERIES 15 https://graphql.org/learn/queries/

16. GRAPHQL QUERIES 16 https://graphql.org/learn/queries/

17. 17 https://nordicapis.com/10-graphql-consoles-in-action/

18. ANALYSIS TRAFFIC – REPOSITORY 18

19. ANALYSIS TRAFFIC – DIRECTORY 19

20. ANALYSIS TRAFFIC – DATA 20

21. ANALYSIS TRAFFIC – BINARY DATA 21

22. ANALYSIS TRAFFIC – BINARY DATA 22 • file() Method is not mentioned in Github GraphQL Documentation • Does not work with DeveloperToken!

23. ANALYSIS TRAFFIC – BINARY DATA 23

24. CAN IT BE GENERALIZED? MAKE A TOOL OUT OF IT?! 24

25. FAKE AUTH 25 • We have the "client_id" and "code“ by sniffing authentication process. • Easily get the client_secret

26. FAKE AUTH 26

27. CONCLUSION Access Repository Information Access Repository Directory Access Repository Files • Reported to Github SecurityTeam • Category: api.github.com • Severity: Low • Weakness: Improper Access Control CWE-284 27

28. REFERENCE 28 • Github Documentations • Burp-suite Documentations • Facebook GraphQl Documentations • Graphql Octokit Documentation • OWASP Security Handbook

29. THANKYOU. 29 ShahriarYazdipour github.com/yazdipour/presentations

Github GraphQL Data Exposure

Recomendados

Recomendados

Mais conteúdo relacionado

Semelhante a Github GraphQL Data Exposure

Semelhante a Github GraphQL Data Exposure (20)

Último

Último (20)

Github GraphQL Data Exposure