Resources

People often ask me "How did you learn how to hack?" The answer: by reading. This page is a collection of the blog posts and other articles that I have accumulated over the years of my journey. Enjoy!

The CSRF attack vector is starting to disappear with the addition of the Same-Site cookie flag. However, there are still many situations that assumed to be secure endpoints can be manipulated to do something malicious. GraphQL is an up-in-coming technology for querying information meant to replace REST endpoints.

GraphQL uses JSON based endpoints. JSON requires a pre-flight request, which means that it is NOT vulnerable to CSRF unless something weird is happening on the back-end. So, the first trick is changing the content-type to be a form-urlencoded encoded in order to bypass this protection.

Secondly, if the endpoint has any mutations via GET requests, this is an automatic vulnerability. Most frameworks will not validate CSRF tokens on GET requests. So, this now becomes a really easy target to hit. These are standard CSRF test cases but it interesting to hear them be called out on GraphQL in particular.

The final thing to look out for is Cross-Site Search (XSSearch). The idea is that a malicious user does not have access to some piece of information BUT the victim user does. By launching GET requests to search for some information, a timing difference can used in order to figure out if the data is valid or not. It should be noted that the return of the request gets blocked because of the same-site policy.

Overall, these are good callouts and I finally have a better understanding of a realistic scenario for XSSearch.