Open ThunderSon opened 4 years ago
PauloASilva
commented
4 years ago Thanks for pinging. I do agree we can do a better job breaking the API Testing per "API flavor".
Since GraphQL is getting lots of attention, I suggest starting with this one, followed by REST and SOAP. I think we should leave the door open to other flavors such as JSON-RPC, ...
What's the plan?
Cheers, Paulo A. Silva
ThunderSon
commented
4 years ago I agree with that, as GraphQL is the least documented attack vector between them as well.
What I have in mind is this:
In the issue opened, we'll need to provide references so that a contributor is capable of understanding on what their scenario will be based on.
What do you think?
ThunderSon
commented
4 years ago Work has started on the GraphQL Cheat Sheet. Once that is done, I believe effort will come over to this side to write to the offensive part.
ThunderSon
commented
4 years ago An attack that was disclosed just today on Twitter's GraphQL: https://hackerone.com/reports/885539
PauloASilva
commented
4 years ago Nice one.
We (me and @dsopas) will present and discuss two GraphQL issues we've found recently as part of our DefCon AppSec Village talk: API (in)Security TOP 10: Guided tour to the Wild Wild World of APIs.
Since DefCon is in Safe Mode, you'll be able to watch this and all other talks at AppSec Village YouTube channel.
ThunderSon
commented
4 years ago Sounds lovely! Looking forward to it :)
github-actions[bot]
commented
4 years ago Please comment if you are still working on this issue, as it has been inactive for 30 days. To give everyone a chance to contribute, we are releasing it to new contributors.
github-actions[bot]
commented
3 years ago Please comment if you are still working on this issue, as it has been inactive for 30 days. To give everyone a chance to contribute, we are releasing it to new contributors.
PauloASilva
commented
3 years ago On the API Testing side, MindAPI is becoming a valuable asset. Not sure how it can be included, but I am sure it's worth a reference.
Cheers, Paulo A. Silva
github-actions[bot]
commented
3 years ago Please comment if you are still working on this issue, as it has been inactive for 30 days. To give everyone a chance to contribute, we are releasing it to new contributors.
github-actions[bot]
commented
3 years ago Please comment if you are still working on this issue, as it has been inactive for 90 days. To give everyone a chance to contribute, we are releasing it to new contributors.
github-actions[bot]
commented
2 years ago Please comment if you are still working on this issue, as it has been inactive for 90 days. To give everyone a chance to contribute, we are releasing it to new contributors.
What would you like to happen? APIs come in different flavors, REST, SOAP, GraphQL, etc. To simply say API Testing, that's a little bit ludicrous, and be broken down better. Issue #267 should adapt according to the plan that will be described in this issue.
What do you think? I believe this can handle a call, or maybe trying to plan it out and then combine our ideas in one thread to see what would work best.
Pinging the API Security team to get their feedback on this in order to have a well fleshed out plan cc: @ErezYalon @PauloASilva @inonshk