all InfoSec news logo
all InfoSec news - Your InfoSec news aggregator
Log in Sign up
all InfoSec news

Secure your Apollo GraphQL server with Semgrep

Add to bookmarks
Aug. 29, 2023, 1:05 p.m. | MalBot

Malware Analysis, News and Indicators - Latest topics malware.news

By Vasco Franco


tl;dr: Our publicly available Semgrep ruleset has nine new rules to detect misconfigurations of versions 3 and 4 of the Apollo GraphQL server. Try them out with semgrep --config p/trailofbits!


When auditing several of our clients’ Apollo GraphQL servers, I kept finding the same issues over and over: cross-site request forgery (CSRF) that allowed attackers to perform actions on behalf of users, rate-limiting that allowed attackers to brute-force passwords or MFA tokens, and cross-origin resource sharing …

apollo apollo graphql auditing clients cross-site detect graphql misconfigurations request rules ruleset semgrep server servers

Visit resource

More from malware.news / Malware Analysis, News and Indicators - Latest topics

Pay up, or else? – Week in security with Tony Anscombe 2 hours ago | malware.news
attack caught dilemma hard +10
Sintesi riepilogativa delle campagne malevole nella settimana del 27 Aprile – 3 Maggio 2024 5 hours ago | malware.news
cert con cui dei +2
Malware Simulators cannot test Antivirus Software 15 hours ago | malware.news
malware analysis topic
Ready2Run - Is dnSpy dead? 16 hours ago | malware.news
malware analysis topic
Security above all else—expanding Microsoft’s Secure Future Initiative 19 hours ago | malware.news
cyberattacks cybersecurity future high +11
FBI warns of email spoofing by North Korean threat actor Kimsuky 22 hours ago | malware.news
actor article dmarc domains +16
You get a passkey, you get a passkey, everyone should get a passkey 1 day, 1 hour ago | malware.news
accounts can consumer cracked +10
Attackers evade detection by leveraging Microsoft Graph API 1 day, 1 hour ago | malware.news
api article attackers cloud +15
Weird Al, Docker, OT, Gitlab, Credit Monitoring, Dropbox, Cisco, AI, Aaran Leyland... - SWN #383 1 day, 2 hours ago | malware.news
article cisco credit credit monitoring +8

Jobs in InfoSec / Cybersecurity

Post a job on infosec-jobs.com Find talent on infosec-jobs.com

Senior Security Officer

@ eSimplicity | Remote
View on infosec-jobs.com

Senior - Automated Cyber Attack Engineer

@ Deloitte | Madrid, España
View on infosec-jobs.com

Public Key Infrastructure (PKI) Senior Engineer

@ Sherwin-Williams | Cleveland, OH, United States
View on infosec-jobs.com

Consultant, Technology Consulting, Cyber Security - Privacy (Senior) (Multiple Positions) (1502793)

@ EY | Chicago, IL, US, 60606
View on infosec-jobs.com

Principal Associate, CSOC Analyst

@ Capital One | McLean, VA
View on infosec-jobs.com

Real Estate Portfolio & Corporate Security Lead

@ Lilium | Munich
View on infosec-jobs.com
View more jobs