|
|
|
|
|
|
by shmatt
1592 days ago
|
|
|
There is tons to reverse engineer on the frontend. When you think about it, we have so much source code we can read through, some of it can hide bad engineering that lets you access something you shouldn't be able to. Like setting the price of an item via hidden form parameter, or finding an endpoint that lists every single promo code Next time you find a website with a GraphQL API, try running the introspection query[1]. If that doesn't work, try fuzzing[2]. I've found multi-billion dollar companies who've * Left open their GraphQL playground completely * Enable introspection Once you start you can dig into the API, and figure if you found anything interesting [1] https://blog.yeswehack.com/yeswerhackers/how-exploit-graphql... [2] https://github.com/nikitastupin/clairvoyance |
|
|