BSides Oslo 2023 – Swan Beaujard & Gautier Ben Aïm – State of GraphQL Security 2023

Описание: Join Swan Beaujard and Gautier Ben Aïm for an incisive look at GraphQL vulnerabilities. This groundbreaking research, involving a scan of over 1500 GraphQL endpoints, revealed a staggering 46,000+ security issues and sensitive data leaks, all accessible without authentication and with 10% classified as critical.

In this session, Gautier and Swan will share their unique testing methodology and delve into the most common GraphQL vulnerabilities unearthed during their research. They’ll expose GraphQL-specific vulnerabilities, including complexity issues and schema leaks, alongside persistent standard API security threats like injections and server errors.

They’ll also highlight the often-underestimated problem of data leaks, including sensitive personal information and tokens. But, they won’t leave you in the trenches; they’ll showcase practical remediation strategies, introducing tools like GraphQL Armor and a handy security checklist for developers.

This talk isn’t just about raising alarms; it’s about equipping you with the tools to secure your GraphQL applications. Leave with a newfound understanding of GraphQL’s security landscape, a respect for its potential vulnerabilities, and a clear path to application safety.

Gautier Ben Aïm:
Gautier is a full-stack web engineer at Escape, where he created the Escape Academy - an open source initiative aimed at training developers in GraphQL security. This project builds upon his experience developing CTF challenges for security conferences like THCon in France.

Swan Beaujard:
Swan is a security software engineer at Escape, specializing in dynamic application security testing. He is also a core contributor to open source projects related to GraphQL security, has experience in reverse engineering, and is passionate about software engineering.

---

BSides Oslo is a independent, community-driven inclusive information security conference. A part of the global Security BSides network, the conference creates a space for members of the information security community to come together and share their knowledge and experiences. BSides Oslo is intended for anyone working with, studying with or is interested in security.