Mazin Ahmed

Mazin Ahmed

Security Engineer - FullHunt

Mazin Ahmed is a security engineer that specializes in AppSec and offensive security. He is passionate about cyber security and has previously found vulnerabilities in Facebook, Twitter, Linkedin, and Oracle to name a few. Mazin is the developer of several popular open-source security tools that have been integrated into security testing frameworks and distributions. He is also a frequent conference speaker, where he shared his research in DEFCON, Hack in the Box, Swiss Cyber Storm, AtHack, OPCDE, and OWASP chapters.

Mazin also built, the next-generation continuous attack surface security platform. He is also passionate about cloud security where he has been running dozens of experiments in the cloud security world.

Presentation Abstract

Attacking GraphQL APIs

GraphQL is an open-source API technology that was developed by Facebook in 2012. GraphQL has gained high popularity in recent years due to its native flexibility, great API features, and endless possibilities for supporting application development.

While GraphQL brings tons of features to organizations, it also significantly expands its large attack surface and introduces various security risks.

In this talk, I will explore real-world attack vectors targeting GraphQL APIs, techniques to exploit and abuse GraphQL APIs in production environments, and walking you through several GraphQL API attacks that go beyond the traditional web application attacks on GraphQL.

At the end of this talk, I will share actionable techniques to obtain API visibility and recommendations to secure GraphQL APIs in your organization.