Black Hat Graphql: Attacking Next Generation APIs

Written by hackers for hackers, this hands-on book teaches penetration testers how to identify vulnerabilities in apps that use GraphQL, a data query and manipulation language for APIs adopted by major companies like Facebook and GitHub.

Black Hat GraphQL is for anyone interested in learning how to break and protect GraphQL APIs with the aid of offensive security testing. Whether you're a penetration tester, security analyst, or software engineer, you'll learn how to attack GraphQL APIs, develop hardening procedures, build automated security testing into your development pipeline, and validate controls, all with no prior exposure to GraphQL required.

Following an introduction to core concepts, you'll build your lab, explore the difference between GraphQL and REST APIs, run your first query, and learn how to create custom queries.

You'll also learn how to:

• Use data collection and target mapping to learn about targets
• Defend APIs against denial-of-service attacks and exploit insecure configurations in GraphQL servers to gather information on hardened targets
• Impersonate users and take admin-level actions on a remote server
• Uncover injection-based vulnerabilities in servers, databases, and client browsers
• Exploit cross-site and server-side request forgery vulnerabilities, as well as cross-site WebSocket hijacking, to force a server to request sensitive information on your behalf
• Dissect vulnerability disclosure reports and review exploit code to reveal how vulnerabilities have impacted large companies

This comprehensive resource provides everything you need to defend GraphQL APIs and build secure applications. Think of it as your umbrella in a lightning storm.

這本實戰書籍是由駭客為駭客撰寫，教導滲透測試人員如何識別使用GraphQL的應用程式中的漏洞。GraphQL是一種被Facebook和GitHub等大型公司採用的API數據查詢和操作語言。

《Black Hat GraphQL》適合任何有興趣學習如何透過攻擊性安全測試來破解和保護GraphQL API的人。無論您是滲透測試人員、安全分析師還是軟體工程師，您都將學習如何攻擊GraphQL API、開發加固程序、將自動化安全測試納入開發流程中，以及驗證控制措施，而無需事先了解GraphQL。

在介紹核心概念後，您將建立自己的實驗室，探索GraphQL和REST API之間的差異，執行第一個查詢，並學習如何創建自定義查詢。

您還將學習如何：
- 使用數據收集和目標映射來了解目標
- 防禦API免受拒絕服務攻擊，並利用GraphQL服務器中的不安全配置來收集有關加固目標的信息
- 冒充使用者並在遠程服務器上執行管理級操作
- 揭示服務器、數據庫和客戶端瀏覽器中基於注入的漏洞
- 利用跨站和服務器端請求偽造漏洞，以及跨站WebSocket劫持，迫使服務器代表您請求敏感信息
- 分析漏洞披露報告並審查利用代碼，揭示漏洞如何影響大型公司

這本全面的資源提供了保護GraphQL API和構建安全應用程式所需的一切。可以將其視為您在雷雨中的保護傘。

Dolev Farhi is a security engineer and author with extensive experience leading security engineering teams in complex environments and scale in the Fintech and cyber security industries. Currently, he is the Principal Security Engineer at Wealthsimple, building defenses for one of the fastest Fintech companies in North America. Dolev has previously worked for several security firms and provided training for official Linux certification tracks. He is one of the founders of DEFCON Toronto (DC416), a popular Toronto-based hacker group. In his spare time, he enjoys researching vulnerabilities in IoT devices, participating and building CTF challenges and contributing exploits to Exploit-DB.

Nick Aleks is a leader in Toronto's cybersecurity community and a distinguished and patented security engineer, speaker, and researcher. He is currently the Senior Director of Security at Wealthsimple, leads his own security firm, ASEC.IO, and is a Senior Advisory Board member for HackStudent, George Brown, and the University of Guelph's Master of Cybersecurity and Threat Intelligence programs. A founder of DEFCON Toronto, he specializes in offensive security and penetration testing and has over 10 years of experience hacking everything from websites, safes, locks, cars, drones, and even smart buildings.

Dolev Farhi是一位安全工程師和作家，擁有在金融科技和網絡安全行業領導安全工程團隊的豐富經驗。目前，他是Wealthsimple的首席安全工程師，為北美最快的金融科技公司之一建立防禦措施。Dolev曾在多家安全公司工作，並提供官方Linux認證培訓。他是DEFCON Toronto（DC416）的創始人之一，這是一個受歡迎的多倫多黑客團體。在閒暇時間，他喜歡研究物聯網設備的漏洞，參與建立CTF挑戰，並為Exploit-DB貢獻攻擊利用程式。

Nick Aleks是多倫多網絡安全社區的領導者，也是一位傑出且擁有專利的安全工程師、演講者和研究人員。他目前是Wealthsimple的安全高級總監，同時領導自己的安全公司ASEC.IO，並擔任HackStudent、George Brown和Guelph大學的Master of Cybersecurity and Threat Intelligence課程的高級顧問委員會成員。作為DEFCON Toronto的創始人，他專注於攻擊性安全和滲透測試，擁有超過10年的經驗，曾經入侵網站、保險櫃、鎖、汽車、無人機，甚至智能建築等各種物件。