--[ Breaking GraphQL

$ getent passwd gsmith
├─── name: Grant Smith
├──── org: Virginia Tech AROTC
└─ social:
   └─ twitter: @S1n1st3rSecuri1

Grant is a current senior at Virginia Tech studying cybersecurity management. He has interned with Army Cyber Command, the Naval Postgraduate School, and the Walt Disney Company during which he has worked in exploit development, red teaming, and threat analysis. Grant specializes in web application testing and is the creator of the popular GraphQL assessment tool Graph Crawler.


GraphQL is steadily growing in usage and is showing no sign of stopping. It is a very powerful API and with great power comes great responsibility to abuse it. That's where we step in. In this presentation we will cover what GraphQL is, how its used, how to get as much data from it as possible, and how to use that data against the endpoint. We will focus on how to attack it as a pentester but knowing these security misconfigurations and how easily they can be abused is helpful for everyone.