Skip to content

Commit

Permalink
Update README.md
Browse files Browse the repository at this point in the history
Signed-off-by: Alex <53379240+AlexandraC0@users.noreply.github.com>
  • Loading branch information
AlexandraC0 authored Nov 14, 2023
1 parent 545d3a8 commit 78e97d6
Showing 1 changed file with 16 additions and 2 deletions.
18 changes: 16 additions & 2 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,7 @@

# Awesome GraphQL Security [![awesome](https://awesome.re/badge-flat2.svg)](https://awesome.re)

A curated list of awesome GraphQL Security frameworks, libraries, software and resources.
A curated list of awesome GraphQL Security frameworks, libraries, software, and resources.

## Contents

Expand All @@ -28,7 +28,7 @@ A curated list of awesome GraphQL Security frameworks, libraries, software and r
### Authentication & Authorization

- [GraphQL Shield](https://github.com/maticzav/graphql-shield) - GraphQL Shield helps you create a permission layer for your application.
- [GraphQL Authz](https://github.com/AstrumU/graphql-authz) - GraphQL Shield helps you create a permission layer for your application.
- [GraphQL Authz](https://github.com/AstrumU/graphql-authz) - GraphQL authorization layer

### Continous Security Testing

Expand Down Expand Up @@ -73,6 +73,7 @@ A curated list of awesome GraphQL Security frameworks, libraries, software and r
- [Clairvoyance](https://github.com/nikitastupin/clairvoyance) - Patrial introspection fetcher when introspection is disabled.
- [GraphQL Path Enum](https://gitlab.com/dee-see/graphql-path-enum) – Tool that lists the different ways of reaching a given type in a GraphQL schema.
- [ShapeShifter](https://github.com/szski/shapeshifter) - Schema extraction to JSON file with introspection.
- [Goctopus](https://github.com/Escape-Technologies/goctopus) - a GraphQL endpoint discovery and fingerprinting tool.

### Exploitation

Expand All @@ -83,19 +84,27 @@ A curated list of awesome GraphQL Security frameworks, libraries, software and r
- [GraphQL Threat Matrix](https://github.com/nicholasaleks/graphql-threat-matrix) - GraphQL threat framework to research security gaps in GraphQL implementations.
- [InQL](https://github.com/doyensec/inql) - A Burp Extension for GraphQL Security Testing.
- [BatchQL](https://github.com/assetnote/batchql) - GraphQL security auditing script with a focus on performing batch GraphQL queries and mutations.
- [GraphQL wordlist](https://github.com/Escape-Technologies/graphql-wordlist) - the only GraphQL wordlist for pentesting you'll ever need. Operations, field names, type names... It was collected on more than 60k distinct GraphQL schemas.

### Vulnerable Applications

- [Damm Vulnerable GraphQL Application](https://github.com/dolevf/Damn-Vulnerable-GraphQL-Application) - Damn Vulnerable GraphQL Application is an intentionally vulnerable implementation of Facebook's GraphQL technology, to learn and practice GraphQL Security.

## Resources

### Academy

- [API Security Academy](https://escape.tech/academy/) - Hands-on learning about GraphQL. Each lesson is built around a WebContainer containing a live GraphQL application, so you'll not only understand why a vulnerability is risky, but also how to exploit it and, most importantly, how to fix it.

### Blogs

- [Access Control Best Practices for GraphQL with Authentication and Authorization](https://blog.escape.tech/authentication-authorization-access-control/) - Confusion between authentication and authorization causes data leaks. Learn the difference and how to implement the right access control pattern in your GraphQL API.
- [Apollo Blog](https://www.apollographql.com/blog/graphql/security/9-ways-to-secure-your-graphql-api-security-checklist/) - Take your GraphQL skills to the next level with our free interactive GraphQL tutorials, videos, quizzes and code challenges.
- [The GraphQL Security Blog](https://blog.escape.tech/9-graphql-security-best-practices/) - Learn about GraphQL security, performance, testing and building production-ready APIs with the latest tools and best practices of the GraphQL ecosystem.
- [GraphQL for Pentesters](https://www.acceis.fr/graphql-for-pentesters/) - Introduction to Basic Concepts, Security Considerations & Reconnaissance, Vulnerabilities and Attacks, Offensive Tools.
- [GraphQL security for decentralized applications (DApps): challenges and best practices](https://escape.tech/blog/graphql-security-for-dapps/) - Learn about GraphQL security, performance, testing and building production-ready APIs with the latest tools and best practices of the GraphQL ecosystem.



### Vulnerabilities

Expand All @@ -106,6 +115,7 @@ A curated list of awesome GraphQL Security frameworks, libraries, software and r
- [HTTPS and GraphQL](https://blog.escape.tech/prevent-data-leaks-with-https/) - How HTTPS can prevent Data Leaks.
- [SQL Injection](https://blog.escape.tech/sql-injection-in-graphql/) - SQL Injections in GraphQL.
- [Verbose Errors Suggestions](https://blog.escape.tech/graphql-verbose-error-suggestions/) - When GraphQL Error Messages become a Security Issue.
- [What are Insecure Direct Object References (IDOR) in GraphQL, and how to fix them](https://escape.tech/blog/idor-in-graphql/) - When GraphQL Error Messages become a Security Issue.

## Contributing

Expand All @@ -116,3 +126,7 @@ We will keep some pull requests open if we are not sure whether those libraries
---

If you have any question about this opinionated list, do not hesitate to contact us [@escapetechHQ](https://twitter.com/escapetechHQ) on Twitter or open an issue on GitHub.

## 🤝 Join our team

We believe it’s time to bring more AI-driven innovation to cybersecurity, and we'd love your help in building this dream! Want to join our adventure? Check out our [**Careers**](https://jobs.escape.tech) page!

0 comments on commit 78e97d6

Please sign in to comment.