Check if the GraphQL API plugin is protected against attacks
leoloso opened this issue · comments
In presentation Damn GraphQL - Defending and Attacking APIs - Dolev Farhi, a security researcher brings down a WordPress site by attacking the WPGraphQL endpoint, killing the DB in less than 20 seconds using a simple Python script. Frightening!
The same security researcher created Damn Vulnerable GraphQL Application to highlight several attach vectors to a GraphQL server.
Task: Attack a site running the GraphQL API for WordPress, and make an assessment if it withstands the attacks.
I'm the security engineer behind DVGA/Damn GraphQL talk, I would be willing to take on this task if you need a pair of hands to test it out.
Hi @dolevf that would be awesome, thanks! (Btw, I loved your presentation!) I'll accept your help.
I still need to protect the server by query complexity analysis, though, and I can only implement it in a few months. I'll keep you updated