graphql

8 articles
Sort: New Top Best
clear filter
bug-bounty622 facebook479 xss316 google174 microsoft120 rce102 apple72 csrf60 web355 account-takeover53 writeup51 exploit43 sqli41 dos36 ssrf34 cve33 cloudflare32 privilege-escalation29 defi28 malware27 node26 smart-contract-vulnerability25 idor25 subdomain-takeover24 clickjacking23 smart-contract23 ethereum23 access-control21 react21 vulnerability-disclosure21 reverse-engineering20 auth-bypass19 aws19 remote-code-execution18 lfi18 cloud17 docker17 cors17 oauth17 supply-chain17 race-condition17 info-disclosure16 browser14 authentication-bypass14 solidity14 phishing14 denial-of-service11 sql-injection11 delegatecall11 wordpress10
0
Disclose Private Dashboard Chart's name and data in Facebook Analytics
vulnerability

An IDOR vulnerability in Facebook Analytics allows users with analyst roles to access private dashboard charts by manipulating the chartID parameter in GraphQL requests, disclosing chart names and data intended only for the dashboard owner. The vulnerability exploits insufficient access control on a sub-option (chart info) within the main dashboard feature.

idor insecure-direct-object-references authorization-bypass facebook-analytics private-data-disclosure graphql access-control information-disclosure web-vulnerability
Facebook Sarmad Hassan AnalyticsChartDeleteMutation AnalyticsStoredAggregationChart
bugreader.com · devanshbatham/Awesome-Bugbounty-Writeups · 4 hours ago · details
0
Facebook graphql CSRF
vulnerability

A CSRF vulnerability in Facebook's Instagram Business Tools allowed attackers to execute arbitrary GraphQL mutations by crafting malicious URLs that leveraged the victim's authenticated access token, enabling unauthorized actions like creating posts with malicious content. The vulnerability exploited improper parameter handling in the /business/:id endpoint where user-controlled IDs were sent to the Graph API without proper CSRF protections.

csrf graphql authentication-bypass mutation instagram facebook web-security access-token-misuse parameter-injection business-tools
Facebook Instagram business.instagram.com graph.facebook.com BusinessToolsEntrypoint.instagram BusinessStore.instagram SyncAddMutations
philippeharewood.com · devanshbatham/Awesome-Bugbounty-Writeups · 4 hours ago · details
0
Sitewide CSRF graphql
vulnerability
bug-bounty csrf graphql
rafiem.github.io · devanshbatham/Awesome-Bugbounty-Writeups · 4 hours ago · details
0 5/10
SHOW HN: A usage circuit breaker for Cloudflare Workers
tool

A circuit breaker pattern designed to monitor and proactively limit resource consumption on metered serverless platforms like Cloudflare Workers, preventing unexpected overage charges by gracefully degrading functionality when usage thresholds are approached.

cloudflare-workers circuit-breaker cost-optimization serverless monitoring rate-limiting budget-management resource-management observability fail-safe-design hysteresis graphql
Cloudflare Workers Cloudflare KV AWS Budget Alerts Hystrix Lambda Vercel Supabase OpenAI Twilio 3mins.news
ethan_zhao · 2 days ago · details · hn
0
Header spoofing via a hidden parameter in Facebook Batch GraphQL APIs
bug-bounty
bug-bounty facebook graphql
feed.bugs.xdavidhu.me · David Schütz · 125 years ago · details
0
Access developer tasks list of any Facebook Application
vulnerability
bug-bounty facebook graphql idor
amineaboud.medium.com · Amine Aboud · 126 years ago · details
0
Path-Disclosure-In-Instagram-Ads-Graphql
bug-bounty
bug-bounty facebook graphql
philippeharewood.com · Philippe Harewood · 126 years ago · details