Vulnerability: Chess.com

Community members can exchange messages, both online and in the app. Hence, there is an API powering that feature and locating user records. Unfortunately, this API was exposing way too much information than was required for sending a message to a user.

Resources: Damn Vulnerable GraphQL Application

[Damn Vulnerable GraphQL Application (DVGA)] by Dolev Farhi and Connor McKinnon is a purpose-built, highly insecure GraphQL application. You can use it as a playground to see some of the most frequent GraphQL vulnerabilities in action.

#api security #graphql #cheat sheet