If you follow the reports of researchers who participate in bug bounty programs, you probably know about the category of JavaScript prototype pollution vulnerabilities. And if you do not follow and see this phrase for the first time, then I suggest you to close this gap because this vulnerability can lead to a complete compromise of the server and the client. Chances are that at least one of products you use or develop runs on JavaScript: the client part of the web application, desktop (Electron), server (NodeJS) or mobile application.

This article will help you dive into the topic of…

One of Google Image results on “voyager” query. Image source.

You are facing GraphQL API and want to test its security. But introspection query gives you huge unreadable JSON, web application uses only part of GraphQL API, and of course there is no public documentation. How to understand and test GraphQL API in such case?

Luckily there is the tool called GraphQL Voyager which visualises GraphQL schema. It’s especially useful for understanding GraphQL API and finding authorization vulnerabilities.

If you are new to GraphQL here are good starting points for learning it:

  1. https://www.howtographql.com/ — takes interactive approach with practical tasks and milestones. …

Nikita Stupin

Advanced Software Technology Laboratory, Huawei https://twitter.com/_nikitastupin

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store