Day 38/100 Hack and Improvement

less than 1 minute read

Day 38 comes with some rest after a week with couple reports. Tomorrow monday we’ll see how they got solved, they still in triaged ! Besides that a write up about GraphQL and some Bill Hicks.

Stealing Addresses through GraphQL

From Rajesh Ranjan and Sam (CoffeeJunkie). GraphQL sounds pretty interesting in diverse ways. In this case the attacker was able to steal addresses through the API with the following URL query.

https://api.stg.target.com/graphq?query={__schema{types{name,fields{name}}}} (And yes it throws all the typenames and field values}

FULL writeup here.

Something else

If you’re bored and like some dark humor. Bill Hicks might be a good watch.

Bill

Leave a comment