Using CodeQL to Investigate GraphQL Resolvers

Channel:

Subscribers:

39,500

Published on December 22, 2022 3:45:02 PM ● Video Link: https://www.youtube.com/watch?v=VrF1RwnJzBk

Duration: 50:57

11,613 views

355

First time using CodeQL, trying to find an access control bug in a nodeJS application using ApolloServer for GraphQL.

My Shop (advertisement): https://shop.liveoverflow.com/

CodeQL: https://codeql.github.com/
RedEye: https://github.com/cisagov/RedEye
Reported Issue: https://github.com/cisagov/RedEye/issues/55

Chapters:
00:00 - Introduction
04:20 - The Research Question
06:40 - Getting Started CodeQL
09:24 - CodeQL for Visual Studio Code
12:41 - CodeQL Setup
16:55 - Create CodeQL Database
20:29 - Running First Query
22:26 - AST Viewer
28:36 - Create New Query
38:36 - ChatGPT Mixes CodeQL with SQL
30:28 - First Successful Query - Review Results
41:25 - Adding "Mutations" to Query
45:05 - Discovering Bug
45:56 - Proof of Concept with Burp
47:14 - Create Mutation PoC with ChatGPT
49:01 - Report Bug
50:16 - Conclusion

---

→ Twitch Subscription: https://www.twitch.tv/products/liveoverflow
→ per Video: https://www.patreon.com/join/liveoverflow
→ per Month: https://www.youtube.com/channel/UClcE-kVhqyiHCcjYwcpfj9w/join

=[ 📄 Info. ]=

Main Channel: https://youtube.com/LiveOverflowCTF
Twitch: https://twitch.tv/LiveOverflow

=[ 🐕 Social ]=

→ Twitter: https://twitter.com/LiveOverflow/
→ Website: https://liveoverflow.com/
→ Subreddit: https://www.reddit.com/r/LiveOverflow/
→ Facebook: https://www.facebook.com/LiveOverflow/

-=[ 📄 P.S. ]=-

#liveoverflow

Other Videos By LiveUnderflow

2023-09-10	Do Hackers Need To Know Algorithms and Data Structures?
2023-04-14	I Don't Trust Websites! - The Everything API with ChatGPT
2023-03-23	Talking About my Trash Can and Haircut
2023-03-11	Attacking VSCode Extension from Browser? - Live Security Research
2023-03-09	3D Printer Researching Igus Bearings - Prusa i3 MK3S+ (part 3)
2023-03-06	3D Printer Assembly X-axis - Prusa i3 MK3S+ (part 2)
2023-03-04	3D Printer Assembly #ASMR - Prusa i3 MK3S+ (part 1)
2023-01-03	Analytics from 7 Years on YouTube...
2022-12-30	Using joern to Find GraphQL Authorization Issue
2022-12-26	Security Issue Found in US Gov CISA Tool?
2022-12-22	Using CodeQL to Investigate GraphQL Resolvers
2022-12-18	ping Vulnerability Patch Analysis (with #ChatGPT) - CVE-2022-23093
2022-12-08	Can AI Hack Websites with XSS? #ChatGPT
2022-12-05	The Most Difficult Puzzle Game - Dr. Kobushi's Labyrinthine Laboratory
2022-12-02	New Details on Commercial Spyware Vendor Variston - Revisiting Firefox Sandbox Escape
2022-07-16	A group of Minecraft hackers tried to shoot me into space
2022-03-11	Simple AFK Treasure Fish Farm Concept for 1.19 Sculk Sensor
2021-12-18	Log4Shell \| Bug Bounty Public Service Announcement #shorts
2021-12-17	How To Exploit a Heap Overflow
2021-09-12	Thumbnail A/B Test Experiment for CTR
2021-09-10	Talking about File Formats with Ange "Corkami" Albertini

Tags:

liveoverflow

live stream

streaming

electronics

oscilloscope

twitch

live overflow

ctf

it security

cybersecurity

live hacking

static analysis

codeql

graphql

nodejs

cisa

cisagov

redeye

cobalt strike