Black Hat GraphQL

Dolev Farhi is a security engineer and author of Black Hat Bash (No Starch Press, forthcoming in 2025). He has extensive experience leading security engineering teams in the Fintech and cybersecurity industries and is currently a distinguished security engineer at Palo Alto Networks, where he builds defenses for the largest cybersecurity company in the world. He has provided training for official Linux certification tracks and, in his spare time, enjoys researching vulnerabilities in IoT devices and building open source offensive security tools. Nick Aleks is a leader in Toronto's cybersecurity community and a distinguished and patented security engineer, speaker, and researcher. He is currently the Senior Director of Security at Wealthsimple, leads his own security firm, ASEC.IO, and is a Senior Advisory Board member for HackStudent, George Brown, and the University of Guelph’s Master of Cybersecurity and Threat Intelligence programs. A founder of DEFCON Toronto, he specializes in offensive security and penetration testing and has over 10 years of experience hacking everything from websites, safes, locks, cars, drones, and even smart buildings.

Foreword
Acknowledgments
Introduction
Chapter 1: A Primer on GraphQL
Chapter 2: Setting Up a GraphQL Security Lab
Chapter 3: The GraphQL Attack Surface
Chapter 4: Reconnaissance
Chapter 5: Denial of Service
Chapter 6: Information Disclosure
Chapter 7: Authentication and Authorization Bypasses
Chapter 8: Injection
Chapter 9: Request Forgery and Hijacking
Chapter 10: Disclosed Vulnerabilities and Exploits
Appendix A: GraphQL API Testing Checklist
Appendix B: GraphQL Security
Resources
Index