LiveUnderflow | Using CodeQL to Investigate GraphQL Resolvers @LiveUnderflow | Uploaded 1 year ago | Updated 47 minutes ago
First time using CodeQL, trying to find an access control bug in a nodeJS application using ApolloServer for GraphQL.
My Shop (advertisement): shop.liveoverflow.com
CodeQL: codeql.github.com
RedEye: github.com/cisagov/RedEye
Reported Issue: github.com/cisagov/RedEye/issues/55
Chapters:
00:00 - Introduction
04:20 - The Research Question
06:40 - Getting Started CodeQL
09:24 - CodeQL for Visual Studio Code
12:41 - CodeQL Setup
16:55 - Create CodeQL Database
20:29 - Running First Query
22:26 - AST Viewer
28:36 - Create New Query
38:36 - ChatGPT Mixes CodeQL with SQL
30:28 - First Successful Query - Review Results
41:25 - Adding "Mutations" to Query
45:05 - Discovering Bug
45:56 - Proof of Concept with Burp
47:14 - Create Mutation PoC with ChatGPT
49:01 - Report Bug
50:16 - Conclusion
---
→ Twitch Subscription: twitch.tv/products/liveoverflow
→ per Video: patreon.com/join/liveoverflow
→ per Month: youtube.com/channel/UClcE-kVhqyiHCcjYwcpfj9w/join
=[ 📄 Info. ]=
Main Channel: youtube.com/LiveOverflowCTF
Twitch: twitch.tv/LiveOverflow
=[ 🐕 Social ]=
→ Twitter: twitter.com/LiveOverflow
→ Website: liveoverflow.com
→ Subreddit: reddit.com/r/LiveOverflow
→ Facebook: facebook.com/LiveOverflow
-=[ 📄 P.S. ]=-
#liveoverflow
First time using CodeQL, trying to find an access control bug in a nodeJS application using ApolloServer for GraphQL.
My Shop (advertisement): shop.liveoverflow.com
CodeQL: codeql.github.com
RedEye: github.com/cisagov/RedEye
Reported Issue: github.com/cisagov/RedEye/issues/55
Chapters:
00:00 - Introduction
04:20 - The Research Question
06:40 - Getting Started CodeQL
09:24 - CodeQL for Visual Studio Code
12:41 - CodeQL Setup
16:55 - Create CodeQL Database
20:29 - Running First Query
22:26 - AST Viewer
28:36 - Create New Query
38:36 - ChatGPT Mixes CodeQL with SQL
30:28 - First Successful Query - Review Results
41:25 - Adding "Mutations" to Query
45:05 - Discovering Bug
45:56 - Proof of Concept with Burp
47:14 - Create Mutation PoC with ChatGPT
49:01 - Report Bug
50:16 - Conclusion
---
→ Twitch Subscription: twitch.tv/products/liveoverflow
→ per Video: patreon.com/join/liveoverflow
→ per Month: youtube.com/channel/UClcE-kVhqyiHCcjYwcpfj9w/join
=[ 📄 Info. ]=
Main Channel: youtube.com/LiveOverflowCTF
Twitch: twitch.tv/LiveOverflow
=[ 🐕 Social ]=
→ Twitter: twitter.com/LiveOverflow
→ Website: liveoverflow.com
→ Subreddit: reddit.com/r/LiveOverflow
→ Facebook: facebook.com/LiveOverflow
-=[ 📄 P.S. ]=-
#liveoverflow