An example of a GraphQL schema, containing Object types, a Query type, a Mutation type, a Subscription type and a Schema type. With all the explanation needed.| Zero Day Hacker
OK, so this is really a ‘note to self’ article that I’m keeping here for future reference. But this will hopefully also help you understand the difference between the query parameters and path variables in Postman and how to use either of these two options. I recently got stuck in an API challenge on root-me.org... Continue reading The post Understanding query parameters and path variables in Postman first appeared on Zero Day Hacker.| Zero Day Hacker
This is a walkthrough of the VAmPI vulnerable API. Use it to test your API hacking skills. This walkthrough shows you how to tackle each task, step by step.| Zero Day Hacker
This is a walkthrough of crAPI (a.k.a. completely ridiculous API), a well-known deliberately vulnerable web application and API, which you can use to train your hacking skills. crAPI has evolved overtime so this will walk you through the latest version of the app (as of February 2024) including the new and updated challenges. Another distinctive... Continue reading The post crAPI walkthrough using AI first appeared on Zero Day Hacker.| Zero Day Hacker
GraphQL is a query language that you can use to interact with an API. GraphQL allows you to write your own queries that will bring back specifically the info you want from the GraphQL server’s database (within the boundaries of what the API provider wants you to see, which is defined in the schema). From... Continue reading The post What is GraphQL? first appeared on Zero Day Hacker.| Zero Day Hacker
Using AI is a great way to accelerate the discovery of vulnerabilities in an API. There are now many different ways of integrating AI into your game. One of my favorite is using Postman’s Postbot feature. Postbot writes full test scripts from a simple AI prompt. Use this in conjunction with Postman’s collection runner and... Continue reading The post Using AI to find API bugs first appeared on Zero Day Hacker.| Zero Day Hacker
Here is a quick and easy way to test if an API endpoint is vulnerable to a Server Side Request Forgery (SSRF) attack. To do this, we can use a website called webhook.site to simulate a payload. What is SSRF? We want to test for SSRF whenever we come across an API endpoint that fetches... Continue reading The post Testing for SSRF in an API first appeared on Zero Day Hacker.| Zero Day Hacker
To fetch or modify information through a GraphQL API, you need to write a request in a formatted way that follows a set of rules: it needs to be a JSON object and it must match the structure of the API’s schema. Also, if GraphQL objects are the containers that give structure to the API,... Continue reading The post Writing a GraphQL query first appeared on Zero Day Hacker.| Zero Day Hacker
Three different operation types can be used to send requests to a GraphQL server: queries, mutations and subscriptions. Let’s look at them one by one. Queries The query operation is used when we want to retrieve data from the GraphQL server. You could compare it to an HTTP GET request in RESTful APIs. In the... Continue reading The post GraphQL queries, mutations and subscriptions first appeared on Zero Day Hacker.| Zero Day Hacker
Every language needs a grammar. If GraphQL is the language you can use to talk to an API, the GraphQL type system gives you the grammar that will make sure your queries are properly formatted and understood. Just like a programming language, GraphQL relies on types to define and describe every element you will find... Continue reading The post What are GraphQL types? first appeared on Zero Day Hacker.| Zero Day Hacker