webapps

GraphQL provides a powerful query language for APIs and we can abuse some built in features to map out the attack surface.

A few assessments back I ran into a web app that made libral use of websockets. Now it’s been a while since encountering an app that makes use of websockets for such a large portion of it’s content and I’d forgotten what a PITA it can be trying to intercept and replay websocket requests. Seeing as it was a web app assessment I naturally turned to trusty Burp Suite Pro. Burp has supported websockets for a long while now, but far as I could find, this support only allowed you to intercept websocket requests and view/modify them....