Whats GraphQL? How do pwn it? And what do I write in my pentest report if I get this in a test? If these questions get your heart racing, fret not, this stalk is for you!

GraphQL is at minimum, yet another API technology your company can get horribly wrong. The technology has grown considerably has an API interface technology in the last few years. With the growing interest, security engineering has been a keen focus for deployments because the technology is new, promises a lot (i.e. strict data typing, query batching and nesting, rapid adaptability etc.) and may not deliver the same impact in all environments or use cases. Futhermore, in the contemporary landscape there are a number of services, and open source projects that make this accessible each with their own set of complexities and pitfalls. With all these new fangled environments, a novel query language, and wildly variable backends, pentesters and security engineers need a good overview in order to navigate a security assessment or deployment. The talk here aims to provide guidance to pentesters in navigating these environments, using the open source and free tooling on offer and delivering a good quality penetration test against GraphQL environments.