GraphQL Security Testing Technical Workshop

HawkScan offers integrations with CI/CD platforms like GitHub Actions and CircleCI, communication tools like Slack and MS Teams, and issue tracking systems like JIRA. It also supports webhook integrations for custom workflows.

GraphQL is a query language and a type of API characterized by a single endpoint URL, typically '/graphql'. It is designed for developers to request exactly the data they need, making APIs more efficient and performant.

The two main types of operations performed in a GraphQL API are queries and mutations. Queries are used to fetch data and are typically considered safe operations, while mutations are used to modify data and can also fetch data.

GraphQL introspection is a powerful feature that allows clients to query a GraphQL server about the types it supports and the queries it can handle. This can be used to generate a schema or build client tools.

Dynamic Application Security Testing (DAST) is a type of scanning technology used to identify vulnerabilities in running applications. It involves sending requests to the application and analyzing the responses to detect potential security issues.

DAST is considered effective because it tests the application in a state that closely mimics how it runs in production, potentially leading to fewer false positives and the identification of real, exploitable vulnerabilities.

GraphQL scanning often requires specialized techniques due to the nature of GraphQL APIs, such as using introspection to understand the schema. It focuses on effectively querying the schema without overwhelming the service or missing critical endpoints.

HawkScan is a security scanning tool based on the OWASP ZAP project, enhanced for better performance and integration. For GraphQL, it utilizes schema discovery via introspection to tailor the scan towards GraphQL-specific vulnerabilities.