2026-05-07 –, Workshops and Stage - Gernsback (C1.05.02)
SQL injection and broken authentication remain persistent threats in modern web applications, yet many developers continue to assume that new technologies are immune to classic attacks. This presentation examines a real-world penetration test where we discovered critical SQL injection and authentication bypass vulnerabilities in a production GraphQL API backed by PostgreSQL—proving that architectural shifts don't eliminate fundamental security flaws.
Organizations migrating to GraphQL often operate under a false sense of security, believing modern frameworks inherently protect against legacy vulnerabilities. This case study proves otherwise.
We'll walk through the complete exploitation chain—from GraphQL schema enumeration and identifying injection points in resolvers, to executing time-based blind SQL injection that achieved PostgreSQL superuser access. We'll also demonstrate how broken authentication patterns in GraphQL's authorization layer enabled unauthorized data access.
The talk will include a live demo of GrapeQL, an open-source tool for automated GraphQL vulnerability scanning, with practical demonstrations of effective testing workflows. Attendees will learn GraphQL-specific mitigation strategies including parameterized queries in resolvers, proper input validation for nested structures, resolver-level authorization, rate/depth limiting, and security-focused schema design patterns.
Aleksa is a passionate security engineer, software developer, and aspiring open sorcerer. He enjoys writing and publishing software that provides elegant solutions to offensive security problems. He has contributed to multiple projects, including Metasploit. In April of 2022, Aleksa graduated from the University of Toronto with a bachelor’s degree in computer science and a Certificate of Ethical Hacking (CEHv10). He began working as a Cloud Security consultant and hacker. He also began attending Defcon as an attendee and a volunteer for the Blue Team Village (BTV). One of Aleksa’s fondest cybersecurity memories is playing the Pros Versus Joes CTF during BSides Las Vegas. By April 2024, Aleksa had obtained his OSCP and begun working as a security engineer at Praetorian. He is currently pursuing his OSCE3. He enjoys Brazilian Jiu-Jitsu, running long distances, and reading in his free time. He currently holds a blue belt in Brazilian Jiu-Jitsu. The book Mastery by Robert Greene is a big inspiration for Aleksa.