Using CodeQL to Investigate GraphQL Resolvers
Рет қаралды 15,891
Күн бұрынFirst time using CodeQL, trying to find an access control bug in a nodeJS application using ApolloServer for GraphQL.
My Shop (advertisement): shop.liveoverflow.com/
CodeQL: codeql.github.com/
RedEye: github.com/cisagov/RedEye
Reported Issue: github.com/cisagov/RedEye/iss...
Chapters:
00:00 - Introduction
04:20 - The Research Question
06:40 - Getting Started CodeQL
09:24 - CodeQL for Visual Studio Code
12:41 - CodeQL Setup
16:55 - Create CodeQL Database
20:29 - Running First Query
22:26 - AST Viewer
28:36 - Create New Query
38:36 - ChatGPT Mixes CodeQL with SQL
30:28 - First Successful Query - Review Results
41:25 - Adding "Mutations" to Query
45:05 - Discovering Bug
45:56 - Proof of Concept with Burp
47:14 - Create Mutation PoC with ChatGPT
49:01 - Report Bug
50:16 - Conclusion
---
→ Twitch Subscription: / liveoverflow
→ per Video: / liveoverflow
→ per Month: / @liveoverflow
=[ 📄 Info. ]=
Main Channel: / liveoverflowctf
Twitch: / liveoverflow
=[ 🐕 Social ]=
→ Twitter: / liveoverflow
→ Website: liveoverflow.com/
→ Subreddit: / liveoverflow
→ Facebook: / liveoverflow
=[ 📄 P.S. ]=
#liveoverflow
@jtw-r Жыл бұрын
currently spending 9 hour days in graphql land for my company… and i saw this video. praying it isn’t a vulnerability i have to fix on my system 🙃
@alexandreabashia Жыл бұрын
48:12
@0xgodson119 Жыл бұрын
thanks,this is something i wanted to learn for long time and i learned something here
@hacktheboard Жыл бұрын
It's very interesting and I can think of a lot of use cases where this tool can be helpful.
@cvabds Жыл бұрын
This video was awesome, you are awesome 😎 you are too humble
@GeekMasher Жыл бұрын
So happy I could help!
@gameboyv1790 Жыл бұрын
hi
@Tiberius_Claudius Жыл бұрын
But what if you also look for a vulnerability in the code of minecraft plugins?
@sketchwaretagalogtutorials Жыл бұрын
Happy, I helped too
@sushilakaushik1867 Жыл бұрын
Wow!
@pwnweb5734 7 ай бұрын
information explosion at @17:09
@futhedude4848 10 ай бұрын
recap: example of use CodeQL to write code manually to detect if the code missing "Authorization" decorator in some GrapQL project.
@chasejensen88 Жыл бұрын
12:47 - Hi mom, yeah are you a database? No? Well what about Dad is he a database? No? Ok, Grandma? Mittens the kitten? Archie the doggie? WHAT THE _____ IS A Database?! Oh, it's a directory containing queryable data extracted from the code. Oh, ok
@xerwinxpl 7 ай бұрын
i love how he acts when he is confused
@JamieNadeau 5 ай бұрын
this whole thing is confusing to setup, they need to update their instructions to make it less confusing
@apidas Жыл бұрын
graphql is a joke
ОВР Шоу
Рет қаралды 9 МЛН
Low Level Learning
Рет қаралды 1,3 МЛН
Red Team Village
Рет қаралды 2,4 М.
Typecase
Рет қаралды 12 МЛН
Тима Бичевский
Рет қаралды 1,8 МЛН
Павел Хмурчик
Рет қаралды 904 М.
KingStore_astrakhan
Рет қаралды 5 МЛН