Check if the GraphQL API plugin is protected against attacks #865

leoloso · 2021-07-24T07:31:28Z

In presentation Damn GraphQL - Defending and Attacking APIs - Dolev Farhi, a security researcher brings down a WordPress site by attacking the WPGraphQL endpoint, killing the DB in less than 20 seconds using a simple Python script. Frightening!

The same security researcher created Damn Vulnerable GraphQL Application to highlight several attach vectors to a GraphQL server.

Task: Attack a site running the GraphQL API for WordPress, and make an assessment if it withstands the attacks.

dolevf · 2021-08-19T16:09:13Z

I'm the security engineer behind DVGA/Damn GraphQL talk, I would be willing to take on this task if you need a pair of hands to test it out.

leoloso · 2021-08-20T02:03:52Z

Hi @dolevf that would be awesome, thanks! (Btw, I loved your presentation!) I'll accept your help.

I still need to protect the server by query complexity analysis, though, and I can only implement it in a few months. I'll keep you updated

leoloso added GraphQL API for WP security labels Jul 24, 2021

leoloso self-assigned this Jul 24, 2021

leoloso added the pending label Jan 18, 2023

leoloso closed this as completed Jan 18, 2023

Provide feedback