Abstract :

GraphQL has gained traction in many organizations, from Twitter and AirBnB to Atlassian and GitHub. It is effectively the front door to some of the most widely used APIs in the world. Despite this fact, it remains a technology many people in AppSec are unfamiliar with and don't know how to test or secure appropriately. In this workshop, we will provide an overview of the GraphQL technology and various means of attacking it. We will also demonstrate the latest release of the InQL tool we developed to assist with automated vulnerability discovery, along with other tools and technologies available in this space. Attendees should expect to gain enough knowledge from this presentation to begin attacking or defending GraphQL installations on their own.

Anthony Trummer

Anthony Trummer has been working in technology for a couple decades, with the latter parts focused on security. He's gone from being a small startup's one person securty team, to AppSec and later leading Incident Response at LinkedIn, to building the security team at Tinder and now helps to run a global AppSec consultancy at Doyensec. He's always been most passionate about AppSec, where he's responsibly disclosed numerous vulnerabilities, presented at conferences all over the world, including DefCon, BSides Las Vegas, OWASP AppSec USA and AppSec California, BlackHat London and many others, and has been recognized in the Android Security Acknowledgements.