Black Hat Graphql: Attacking Next Generation APIs
暫譯: 黑帽 GraphQL：攻擊下一代 API

Name: Black Hat Graphql: Attacking Next Generation APIs
Price: 2043 TWD
Availability: InStock
Author: Aleks, Nick, Farhi, Dolev, Chan, Opheliar
ISBN: 1718502842

Aleks, Nick, Farhi, Dolev, Chan, Opheliar

出版商: No Starch Press
出版日期: 2023-05-23
售價: $2,150
貴賓價: 9.5 折 $2,043
語言: 英文
頁數: 320
裝訂: Quality Paper - also called trade paper
ISBN: 1718502842
ISBN-13: 9781718502840
相關分類: Web API、資訊安全

立即出貨 (庫存 < 4)

買這商品的人也買了...

~~$680~~ $537

軟體架構原理｜工程方法 (Fundamentals of Software Architecture: A Comprehensive Guide to Patterns, Characteristics, and Best Practices)
~~$780~~ $702

Linux 網路內功修煉 - 徹底了解底層原理及高性能架構
~~$600~~ $420

軟體測試實務 : 業界成功案例與高效實踐 [ II ]

商品描述

Written by hackers for hackers, this hands-on book teaches penetration testers how to identify vulnerabilities in apps that use GraphQL, a data query and manipulation language for APIs adopted by major companies like Facebook and GitHub.

Black Hat GraphQL is for anyone interested in learning how to break and protect GraphQL APIs with the aid of offensive security testing. Whether you're a penetration tester, security analyst, or software engineer, you'll learn how to attack GraphQL APIs, develop hardening procedures, build automated security testing into your development pipeline, and validate controls, all with no prior exposure to GraphQL required.

Following an introduction to core concepts, you'll build your lab, explore the difference between GraphQL and REST APIs, run your first query, and learn how to create custom queries.

You'll also learn how to:

Use data collection and target mapping to learn about targets
Defend APIs against denial-of-service attacks and exploit insecure configurations in GraphQL servers to gather information on hardened targets
Impersonate users and take admin-level actions on a remote server
Uncover injection-based vulnerabilities in servers, databases, and client browsers
Exploit cross-site and server-side request forgery vulnerabilities, as well as cross-site WebSocket hijacking, to force a server to request sensitive information on your behalf
Dissect vulnerability disclosure reports and review exploit code to reveal how vulnerabilities have impacted large companies

This comprehensive resource provides everything you need to defend GraphQL APIs and build secure applications. Think of it as your umbrella in a lightning storm.

商品描述(中文翻譯)

這本書是由駭客為駭客所寫，實作性強，教導滲透測試人員如何識別使用 GraphQL 的應用程式中的漏洞。GraphQL 是一種用於 API 的數據查詢和操作語言，已被 Facebook 和 GitHub 等主要公司採用。

黑帽 GraphQL 適合任何有興趣學習如何攻擊和保護 GraphQL API 的人，並利用攻擊性安全測試的幫助。無論你是滲透測試人員、安全分析師，還是軟體工程師，你都將學會如何攻擊 GraphQL API、開發加固程序、將自動化安全測試整合到你的開發流程中，以及驗證控制措施，這一切都不需要事先接觸過 GraphQL。

在介紹核心概念之後，你將建立自己的實驗室，探索 GraphQL 與 REST API 之間的差異，執行你的第一個查詢，並學習如何創建自定義查詢。

你還將學習如何：

使用數據收集和目標映射來了解目標

防禦 API 免受拒絕服務攻擊，並利用 GraphQL 伺服器中不安全的配置來收集有關加固目標的信息

模擬用戶並在遠端伺服器上執行管理級別的操作

揭示伺服器、數據庫和客戶端瀏覽器中的注入型漏洞

利用跨站請求偽造漏洞和伺服器端請求偽造漏洞，以及跨站 WebSocket 劫持，迫使伺服器代表你請求敏感信息

剖析漏洞披露報告並審查利用代碼，以揭示漏洞如何影響大型公司

這本全面的資源提供了你防禦 GraphQL API 和構建安全應用程式所需的一切。把它想像成你在雷陣雨中的雨傘。

作者簡介

Dolev Farhi is a security engineer and author with extensive experience leading security engineering teams in complex environments and scale in the Fintech and cyber security industries. Currently, he is the Principal Security Engineer at Wealthsimple, building defenses for one of the fastest Fintech companies in North America. Dolev has previously worked for several security firms and provided training for official Linux certification tracks. He is one of the founders of DEFCON Toronto (DC416), a popular Toronto-based hacker group. In his spare time, he enjoys researching vulnerabilities in IoT devices, participating and building CTF challenges and contributing exploits to Exploit-DB.

Nick Aleks is a leader in Toronto's cybersecurity community and a distinguished and patented security engineer, speaker, and researcher. He is currently the Senior Director of Security at Wealthsimple, leads his own security firm, ASEC.IO, and is a Senior Advisory Board member for HackStudent, George Brown, and the University of Guelph's Master of Cybersecurity and Threat Intelligence programs. A founder of DEFCON Toronto, he specializes in offensive security and penetration testing and has over 10 years of experience hacking everything from websites, safes, locks, cars, drones, and even smart buildings.

作者簡介(中文翻譯)

Dolev Farhi 是一位安全工程師和作家，擁有在金融科技和網路安全產業中於複雜環境和大規模下領導安全工程團隊的豐富經驗。目前，他是 Wealthsimple 的首席安全工程師，負責為北美最快速的金融科技公司之一建立防禦。Dolev 之前曾在多家安全公司工作，並提供官方 Linux 認證課程的培訓。他是 DEFCON Toronto (DC416) 的創始人之一，這是一個受歡迎的多倫多駭客團體。在空閒時間，他喜歡研究物聯網設備的漏洞，參與並建立 CTF 挑戰，並向 Exploit-DB 提供漏洞利用。

Nick Aleks 是多倫多網路安全社群的領導者，也是知名且擁有專利的安全工程師、演講者和研究員。目前，他是 Wealthsimple 的資深安全總監，領導自己的安全公司 ASEC.IO，並擔任 HackStudent、喬治布朗學院和圭爾夫大學網路安全與威脅情報碩士課程的資深顧問委員會成員。作為 DEFCON Toronto 的創始人，他專注於攻擊性安全和滲透測試，擁有超過 10 年的經驗，駭客對象涵蓋網站、保險箱、鎖、汽車、無人機，甚至智能建築。