Using joern to Find GraphQL Authorization Issue

LiveUnderflow · Beginner ·🔧 Backend Engineering ·3y ago

Key Takeaways

The video demonstrates how to use Joern to find GraphQL authorization issues in a codebase, utilizing its query language and code property graph analysis. It also explores the use of regular expressions, AST analysis, and graph databases to identify unauthorized calls and decorators.

Full Transcript

a friend of mine is working actively developing urine I guess if he would know that I use code ql he would be very disappointed and angry at me because he says code ql is [ __ ] and gern is the cool [ __ ] and so now having you know a cultural example let's see if we can do the same thing with urine I know nothing about yearn we know go start go over the documentation [Music] all right here's the research question okay there are different ways to test for Access Control issues right but we have here the source code and it would be very helpful for me to very quickly run a query that figures out all graphql resolvers that do not have for example the authorization check this is a research question I have I can't even do it by hand like that's what I would be doing by hand okay they are just a limited amount of resolver files okay they're like it's a dozen or so maybe maybe 20 or I don't know how many of these are not that many right I can I can do this by hand I can open this one and then I can go through quickly okay this has it has it has it has it has it has it has it let's go out next one has it has it has it has it has it right but I'm looking for one where they are maybe for where they forgot it with that it could be a bug it doesn't have to be a bug right there are often also resolvers that where you don't need to be authorized because it's carry some public information or so it feels like if could learn some basic code ql maybe I it's very easy for me give me all resolvers where there's no authorization check and then I can go over the view that I found to to see logically if there's a bug or not you know is this meant to be public or is this was this forgotten welcome to the documentation of the code analysis platform you're on for a high level overview please check out urine IO yarn is a platform for robust analysis of source code bytecode and binary code it generates code property graphs a graph representation of code for cross-language code analysis code property crafts are stored in a custom graph database this allows code to be mined using search queries formula formulated in a Scala based domain specific query language Uranus developed with the goal of providing a useful tool for vulnerability Discovery and research and static programming analysis so immediately I guess we can compare it a bit to code ql just uh you know to make maybe this transition I mean not that it's like a transition it's not like I'm experienced with codeql but for me you know it helps to kind of like compare the similarities and differences so first of all like the supported languages are kind of similar however you know it does have using like based on ghidra there's like you can even work on assembly you can even like work on jvm byte code directly there's also JavaScript I do Wonder like if typescript will be an issue for us because the source code is actually typescript so if that would be be an issue then we have a problem um already but then we will find another example to um to work with and then also this graph is stored in the custom graph database so that's kind of the same with codeql as well which might be a confusing like step why can you not just search immediately on a source code in order to make this actually performant because graphs are like very like these kind of languages are very expensive so you first analyze all the code and it creates a database that you can then use the query language to ask about certain properties so it's not like grep or just like searching over the source code directly it's uh you first turn your code into something into a different format that then you know with all the relationships and all that stuff that you can then yeah and then also I know already that uh yearn also offers like a Scala based uh language like a shell that you can like more more dynamically query and and work with I found it a bit annoying like with culture you write your query and then you need to run it it needs to be compiled and then you're waiting and then it resolved I don't know how fast Uranus but it's it's like a interactive python shell kind of thing you know like where you can then start to write your queries which for the purpose of security research on a specific code base is nicer I feel code ql the idea behind cultural is more with the motivation of GitHub which is like a large scale scanning across like whole GitHub like scanning all repositories on GitHub or something like this uh because you know you develop a query and then it gets compiled and everything is like very efficient and architectured in a way that then this query is then used by tons and tons of projects while for me personally I more work on individual programs for me it's more like okay I have this question about the code that I want to have answered quickly and code QR is maybe a bit too slow for this iterative process and so I hope that with urine this kind of iterative research process says Where oh right there's this function let me quickly write like in the Shell Bam Bam and then I have the result that is kind of my hope but no clue if it can fulfill this this hope installation install pre-built binaries so do we want to use pre-built binaries or do we wanna take GitHub how far behind are the releases so the last release was two hours okay ago okay eight hours ago 20 hours ago yesterday okay it looks like the releases are constant releases so so let's let's do build use the pre-built stuff okay so we get the install script we make it executable and let's install it enter for the latest version let's go oh well this is downloading should we check the statistics on the video I released distraction over distraction over let's go back to yearn how long was this detour now at least it installed completed okay so it's in bin yearn and we can test our installation okay yearn okay building from source code we don't need that configuring the jvm I guess we can give it a lot more gigabytes because like how much how much did I I gave it a lot of uh gigabytes so we the the VM so we can uh set these Java options as well to 20 gigabyte that might help all right quick start here they do an example with a c program but we want to try it out on the node.js stuff so let's see if we can just call import code but uh on our project so where was our project again so this is our import path and let's see if the import path then project name red eye let's see if that okay this failed okay I just oh I forgot the words around the path here there we go oh okay is this is this Arrow problematic what is this it couldn't generate cpg for cache TS so just to understand why this failed maybe let's see what this cache file is it's a cache node entity cache manager okay is that just a type definition or it's just a class it does have some code in here so I guess it's a bit unfortunate that it failed to read this file but I'm also kind of curious where is this used oh it's not used anywhere apparently cache manager okay it the cache manager is used in here yeah I don't know like this could be maybe a problem but maybe not if like this function couldn't be parsed as long as it's like kind of forgiving and was able to still uh do with a lot of other stuff that might not be necessarily problematic but of course it would suck if it includes like if you would want to like research something about this cash stuff obviously I guess now this would fail keynote found name no such element exception keynote phone name so I wonder name doesn't show up in here so the arrow might be more related to like something else like from the parcel code itself so it's not like something I thought maybe we can like add maybe a name property or something let's move on okay but in the end it seemed to have worked we apparently have a graph with 27 000 notes so how do we work now with this uh querying the code property graph cpg code property graph okay we have these many nodes you are ready to analyze your first program using urine and the code property graph code analysis and urine is done using the cpg query language a domain specific language designed specifically to work with the code property graph it contains practical representations of the various nodes found in the the top level entry point into a code property graph is the cpg if you evaluate yeah okay rest assured a lot is hidden behind that simple statement you will discover of the full set of commands in time but for now you should learn a helpful yarn trick tap completion in the earn prompt type cpg do not press enter but instead press tab okay cpg Dot and then we can see whatever what all of it is available here tab completion as well for all query language directives and top level commands for for more descriptive assistance use the help command now that we have a good set of basic commands and a code property graph load into memory Let Us return to our program and the problem we want to solve using urine to reiterate the problem statement is shown that show that an input exists for which the program always writes a string to standard error there are two parts in the problem statement does the program write anything to standard error and two if there is a call writing to standard error is the condition or the value path in the argument what is the condition your own makes answering both questions easy to answer the first one whether the program writes anything to standard error we can search for nodes of type call and then use the argument step to only select those calls which have connection to the nodes of type argument followed by the code STD error which selects only those nodes that have the string standard Arrow as the value of the code property so I wonder can we so I do want to like decorators how they show up now in here they I guess they are functions alternately I guess here we talk more about like oh is there decorators in there but decorate this I feel like are something language specific in this code property graph seems something more General whatever you use anything ends up as a code property graph so I assume decorators would be functions as well so something like function specific like f there's a four block so so I guess we are also looking for calls so here the the cpg was we look for calls and then arguments where the argument contains STD error is this correct so we look for calls where one argument contains STD error okay so I guess if we do try to replicate the code ql statement we want to maybe find you know all the decorators or the function calls of the name query so I wonder can we do call and then can we check like if the name is like query how do we know if we found something like if this query is now empty oh to list we can call to list on it uh it's an empty list so this didn't work however The Decorator also has an ad before it does that it's also an empty list okay let's let's let's Let It List all calls okay there are a lot but maybe we can get an idea of like what the names are by the way can we do like list and then only like get like a limit or something two list five I guess this is The Fifth Element but this is still helpful because I just wanted to see like what are the properties of like what is Select word from from call the code is like uh like an actual string of the code that this part represents like this is a pretty ugly one like but here for example of the require crypto I guess import code for example and then we have a method full name and name ah name is more field access ah so this this reference like this dot encrypt so this is a field access and this is the name so I guess I guess the the more hecky way which which is okay I guess if we do code and then say query to a list what does what show it's still empty let's open one of these resolvers why so if we look at all calls or anything there's a call why is the field is a field access a call it's less like a get get this field is that is that why it's a call it's like static dispatch in here is definitely a call I guess fine for example so if you do code find what we find then it's also empty okay if we find crypto oh okay I guess this is like very strict it's not a fuzzy string match how can we do like a fuzzy string match cpg file gets you everything in that file you are right that's a good way to think about this because then we can see like what's in there and then we can explore it this is the file and then to list okay maybe I misunderstand how this works why is this now also empty oh full the full path but I don't know what the full path is relative to what okay I guess Source relative to source so we can do this but there must be also like a fuzzy string match right like there must be all right okay we found one file and now in that file we look for all calls okay no that failed Paul doesn't know not exist I was hoping like if we have now the file selected now we can only select all the calls for that file but I guess not how it works maybe there's a get calls or something or get children or collect I mean collect or something like that could maybe do it okay okay then maybe maybe that's not the way how to do it I want to figure out if there's a fuzzy string match so maybe maybe they mention it here IST parent okay that's also good to know let's let's scroll here a little bit over maybe traversal Basics method oh there's also method maybe method makes more sense for JavaScript this query returns all names of methods present in the code property graph and can be dissected as follows like this is maybe again better for um nice all the methods now it's not sorted I just quickly want to scroll over because maybe we can like find some useful stuff similar to to list maybe there's a way to like sort it in a certain way or filter it for example I would like to know if there's like a fuzzy match because you can do things like uh here for example you can get the file so file by this uh name how can I if I don't know what the exact path is there still a way to do this or could I get all the files that have resolver in the name because this can be useful because usually all the graphql resolvers are have a file name based with resolver is that like a fuzzy match where I can say like when this is contained in that string or something like this so that would be kind of useful add a wild card to the file name okay that's a good point let's try it okay this cost oh it's a regular a regular expression okay that makes things of course easy there we go we find all the files that always have resolved us nice so let's go back to this other example that's good to know that these are regular expression that's of course Very powerful let's go back to because we looked I thought maybe because these decorators are some they are function calls right they I guess I don't know like so I imagine they might be turned into call nodes so I wanted to search for calls that are called query but it's empty so maybe uh it's just you know maybe it has the parentheses to it or maybe it has the at in the front of it so maybe yeah with fuzzy uh okay no okay we found now these function calls here that have query in the name but these are not the decorators but okay so these are actual functioning calls now it's good to know call resolve that but the thing is again like we don't know how the back end turns a decorator into this graph database so yeah do you hear the Barking outside some dogs have a lot of fun right now instead of a call they are annotation notes that sounds reasonable that sounds like a reasonable guess if there is such a thing as an annotation note but I assume you tell me because there is one okay there's an annotation note we can also do a tool list to see like index out of bounds okay there are no annotations I guess it's empty maybe it could be easy to just look for I it is probably an identifier right lots of things are identifiers but uh so we can't find let's so here this require for example is an identifier so let's see if we can find an identifier that is called query this is the type hint so this might actually be one of those query query orders obviously not what we are looking for but they are really called okay these are tie pins type graphql queries so this is the definitely the correct query and they are really called query how does uh regex work I want to do an or is that how you write a regex or no right did this work no it worked that's how you write the ores apparently Okay cool so now we find all mutations and all queries let's see can we do like dot file to find all the files where they are in now we find all the files where these identifiers are from and we can see they are all referred to as the to these resolver files so that is obviously absolutely correct so in code ql these decorators were like on the same AST level in the abstract syntax tree they were on the same level so they were basically siblings to each other so to check if there's an authorized decorator we went from the query to the parent and then we looked if any of the children were authorized I guess like if you do like AST parent or I said do they maybe even have AST sibling AST children AST parent no okay so we go up to the parent so what what do we get now what is the parent of it so here's an assignment query mutation query require no wait uh these are the wrong ones right no wait vark very require oh these are is this as import then is this imp is is this line turned into this here I guess so I guess like this compiler or transpiler or whatever like somehow I guess turn this into these import statements so actually we don't want this import statements maybe we don't want then identifier okay let's see what else do we have identifier if block Imports jump Target label label and property I don't know what is a label do you have to also analyze the transpile JavaScript or could it be easier to just look at the typescript source code I mean the code that was is in here that yearned it yearn used something to parse the code this is the code here right yeah so so I don't want to look at the transparent JavaScript I'm looking at the typescript code here but I guess maybe you're right maybe we should how do you look at like how do you I don't know how typescript works is that is that how it works it typescript is transpiled to JavaScript is that how it works so uh that is there a way to like easily get the transpired version of that check out the distribution uh that uh yeah okay yeah makes sense of oh my gosh am I dumb of course like uh typescript is transparent to JavaScript because in the end of course you have to for example you has you have to run it with node.js or um in the browser of course it transpire to JavaScript I'm such an idiot just wait are we in the correct application server source and then we have here resolver is that like a beautify prettify there we go okay now now we see these uh require calls that's of course very useful so where in here does the query show up decorate oh there's a decorate function apparently and where's that closing what that's like a weird it goes up until here well they should okay but I guess this helps a bit so uh we should find it with call right because it's clearly a call here but this also makes it very difficult to find the auth oh no wait okay these are separate like where does one end okay this is the end of the query and and this is the other parameter but I feel like yeah I feel like these are all separate right these are the three if you look in the beacon resolver the the other three yeah there are these three okay and then they are like uh okay so if we would have query and authorized so query that's really oh it's another okay so decorate gets passed in a list including their decorators so this is a list first one is the authorized and second query so if we find this correct query call we could probably go like the other argument no not arguments to to the list that contains all of that and then um yeah we check if authorized is also in the list or not I guess that's the way to do it but why does this not show up as a call function is not something that exists so it should be called let's try it maybe I did something wrong earlier so if we do like query no we find these create query Builder we need to look for a function Arc that is a list and then a list value to match the author that would be definitely the way like may we go look for decorate and then we look go into the argument which is the list the first argument that is one way but I don't understand why we cannot look for uh this this function query and then go out because decorate might be used in other things like it's a graph right like it somewhere we we enter this graph and then Traverse the different nodes and whether we come in from decorate go then to its argument and then the list inside of it and then the decorators shouldn't be different like maybe there's a performance difference like I don't have like intuition about querying a graph where one way is definitely better than the other I don't know but um I would assume for this small program it's probably good enough but uh yeah I guess it still could be a good test to see if we can find all the decorate functions also an empty list there are no calls so maybe we misunderstand what call is for um what else could it be though method maybe it's method there are no queries no decorator either that's your own compiler typescript though show the import thingy is getting transparent might be happening because CJs versus esm Imports are both JavaScript related so uh if we look into the urine documentation in the supported language it says here that it uses growl VM for the JavaScript so don't ask me what this does okay there's a gravim JavaScript implementation it's a ecmascript compliant runtime it's standard compliant so it uses that let's see gravy M type script maybe we can learn what it does it doesn't immediately show up about typescript so I don't know I don't know how it works gravian is one of the worst ecma implementations apparently yeah well I mean there are not that many I guess and urine is based on Scala so I guess they chose a Java backend that you know more easily integrates with what they already have it is however already like this is already turning me a bit off for using it more because I'm reading the typescript of course and like seeing how crazy typescript is then transpiled to to like this kind of JavaScript um I mean or even node.js I guess decorators oh how decorators I guess are compiled it obviously makes it now I look at the code now I need to reason about how it was compiled you know it makes it a bit it's not necessarily a problem if I can easily trans Traverse the C the the graph in here and kind of figure it out um but yeah you might have to feed it the compiled code for it to work properly look here this VAR require graphql there is no I don't think that there's like require that there is no VAR query equal require so this is already like it already uses compiled or transpacked like I don't know like what it did behind the scene so they use this back end to parse the code and I don't know pull out all those nodes and graph connections and so forth and then import it into the uh into that database in or in the net in a graph database and it could be because you know the support is considered medium majority it could be that you know on this kind of typescript stuff I don't know it's like it's like uh it's losing all of that you know maybe the decorators are just gone maybe they are just not in the database I wonder how I how we could figure that out yeah I have the feeling it only registered JavaScript stuff when it runs into decorators which do not exist in JavaScript might just skip over them yeah some stuff like this could definitely happen I wonder how there's a way how how I could figure that out but we could do all which probably should give us all the nodes but it's very long and so I want to figure out like I don't know how I can pipe that into a file and then grab over it so let's maybe I guess cpg to load oh we should have I guess saved that graph somehow okay my history doesn't go as far back anymore crap maybe I should have taken notes so again if you execute it like this did it maybe remember the whole history or are we [ __ ] although it remembers okay cool another option could be to transpile the typescript to JavaScript and then scan it basically scan the disk the dist folder actually let's try that we can I guess scan over the dist folder so instead of this input path to import code I guess we could Target the dist folder um or copy copy path okay and then red eye JS maybe you undocks only less JavaScript support yeah okay now we also found a lot more notes I guess it makes sense because they are two like one is compiled and one not okay okay cpg dot call and then we look for query okay so here's the query here's the query so these items and list yeah this is definitely these are definitely yeah type graphql these are definitely those calls to query if we now go AST parent push are these all these push I mean makes sense because like adding to an array is a push I don't know where this code is coming from but I guess these are these array pushes crap I thought we would maybe get does anybody know internally like in JavaScript if you when you define like when you make a list like this and uh the actual like uh internal job like the evm or whatever oh no not evm but I don't know the JavaScript VM or some I guess I guess it depends on how grad VM does it right it it's very likely that if it encounters like this it compiles it to like an internal um bytecode yeah so it could very well be that that's Islam in the in the byte code in the internal VM or whatever I don't know whatever it's called Uh in their jit compiler maybe I don't know it's then turned into pushes which is of course annoying I guess there's a way to find all the other pushes if we go I don't know wait ah okay here now we have the list an array sequence it's a this is the code block what was it before it was the call okay now we have a code block and this this code block is actually this um this this whole list cool that's actually pretty good so if we know AST ch AI children and then AST children again now we should have the calls again so in there should also be these other decorators then showing up yeah so here's the query for on um okay maybe I scrolled too high I'm not sure okay yeah so in there are the other ones as well and now we want to do like not have something like I don't know can we do like can you somehow get all the calls we tried this earlier right from AST children is an AST node not as a function you can use okay so it does find calls but it also can we somehow say I only want the calls there must be a way because now this gets us AC children gets us all the different literals calls all the different types and we only want to restrict it to only the calls so maybe like type call or something it's called oh it's it's called seems more like than to be used like as a response okay this gets really just all the calls nice thank you I I in my head I thought okay um it checks for each of them if it's a call or not and then it will return us basically the list of booleans true or false Okay cool so we have our calls and now I guess there was something like not contain or no I feel like this is wrong I'm not sure if this the logic is if this is the correct logic or to build this graph if you do like not this not wants a parameter does it want a string type mismatch it wants something else so it's it's not so you would do maybe cpg call and then and you say not authorized like no type mismatch okay I thought maybe like we get now all the authorized and we make sure that this call is not one of those calls in that graph but maybe not in is that like a not in or something okay maybe we should I should pull up like some documentation about this okay if we would have continued reading over this kind of stuff we would have learned that there's regex code not okay so it's called not is there maybe an is called not no okay oh it's called takes also a regex yeah I don't know like even like if we say like and it's not earth like it's not also authorized if you say this here all the calls that are not authorized that are not called authorized right like we select all the queries we go up to parent we go down to the children and then we get all those that are not authorized that is not the answer to our question somehow we want to get all queries but they're parent like you know like I feel like the logic is a bit different okay here's a filter okay so here they filter all calls so they take the node and then filter this is more like what we want so we would want to do T filter and then we would get call the call if we go into the parent and the parent and then the St children and then the calls and then and now we want to like say does not contain now like how can we say like does this return a value or like there's count does this return as the value and then we do like count equal to zero is that it no it's empty can you just check that the set is empty yeah that's what I was hoping for with let's see let's do cgp core query and then count if that Returns what we want a list with 24. can I do like equal to zero equal to 21 false okay just like filter the where step is a filter step the this documentation right my friend that's why I use this kind of emoji gun which continues travels for all nodes which pass its criteria the expression representing the return takes in one argument that represents a traversal of the previous step it returns another traversal that includes all nodes from the previous traversal for which the Criterion returns a non-empty traversal so you'd like to query the for the program again for our call nodes which have exit as the value of their name property and return the value of their code property in a list so here we did filter node name is exit and we got the call to exit here here we got the both calls to exit by filter and then dot code and then down here this is the same output somebody wrote this output by hand look at here the capitalization of the else somebody copy and pasted or wrote this by hand bro where doesn't check for Boolean unlike filter right oh you're right filter wants a Boolean while where if it returns a non-empty traversal so I guess that is actually useful for us because let's see if we do like call query and then parent parent child is like can we get all authorized like this okay this is already a problem uh it's called it's two layers because we went also two layers up so I should do like this also empty did I misspell authorized okay so there are okay maybe I should do a fuzzy match what if I remove one layer here it catches these pushes instead why did then this column match everything but this call not so if we do like this and then file we get all the files that have authorized so there should be no operator resolver in here and that is correct okay so kind of like then we almost got it so if we do now so we do a cgp cpg call query where we get the query and then we do we check if that returns something oh if you do the the underscore it's not an arrow function there we go dot L now we find a view or we found we find way too many way too many oh we need to do the inverse right uh where oh where not huh we are not parsing yeah there we got it is that like unique Union oh well it's good enough nice so now we found all the the two files the operator resolver and the progressor solver that don't have the authorized file I also want to like have nicer output I wanna now like just get the the string or something so I can copy and paste it over to my notes document you know but that was pretty cool I mean so my problem especially like this typescript Java okay I I guess maybe maybe it's time for a like a conclusion or something we had a research question the research question is [Music] foreign [Music]

Original Description

My Shop (advertisement): https://shop.liveoverflow.com/ We explore joern for the first time to write a query that can help us find a GraphQL authorization issue. Using CodeQL to find the same issue: https://www.youtube.com/watch?v=VrF1RwnJzBk&list=PLGPckJAmiZCR3BIPhpmOL3l0wC6hBCk6W&index=1 Watch the Series: https://www.youtube.com/playlist?list=PLGPckJAmiZCR3BIPhpmOL3l0wC6hBCk6W joern: https://joern.io/ RedEye Repository: https://github.com/cisagov/RedEye → Twitch Subscription: https://www.twitch.tv/products/liveoverflow → per Video: https://www.patreon.com/join/liveoverflow → per Month: https://www.youtube.com/channel/UClcE-kVhqyiHCcjYwcpfj9w/join Chapters: 00:00 - Intro 00:31 - Recap: Research with CodeQL 01:51 - Setting Up joern 07:00 - First Tests with joern 15:31 - Realizing We Can Use Regex 20:06 - TypeScript vs. Transpiled JavaScript 21:25 - decorators in Transpiled JavaScript 35:23 - Building the Query 37:24 - Outro =[ 📄 Info. ]= Main Channel: https://youtube.com/@LiveOverflow Twitch: https://twitch.tv/LiveOverflow =[ 🐕 Social ]= → Twitter: https://twitter.com/LiveOverflow/ → TikTok: https://www.tiktok.com/@liveoverflow_ → Website: https://liveoverflow.com/ → Subreddit: https://www.reddit.com/r/LiveOverflow/ → Facebook: https://www.facebook.com/LiveOverflow/ =[ 📄 P.S. ]= #liveoverflow
Watch on YouTube ↗ (saves to browser)
Sign in to unlock AI tutor explanation · ⚡30

Playlist

Uploads from LiveUnderflow · LiveUnderflow · 29 of 42

1 BUILDING AN 8-BIT COMPUTER FROM SCRATCH #2 (Full Stream)
BUILDING AN 8-BIT COMPUTER FROM SCRATCH #2 (Full Stream)
LiveUnderflow
2 LiveOverflow's Makeup Tutorial #1
LiveOverflow's Makeup Tutorial #1
LiveUnderflow
3 MakeUp Tutorial for Streaming and YouTube
MakeUp Tutorial for Streaming and YouTube
LiveUnderflow
4 MurmusCTF, SSD CTF Challenge, Google CTF writeups - PwnNews 27/06/19
MurmusCTF, SSD CTF Challenge, Google CTF writeups - PwnNews 27/06/19
LiveUnderflow
5 Google CTF 2019 Chat - Looking at Writeups
Google CTF 2019 Chat - Looking at Writeups
LiveUnderflow
6 Discussing Hacking Videos - Community Guidelines YouTube
Discussing Hacking Videos - Community Guidelines YouTube
LiveUnderflow
7 Hacking Skills Perspective
Hacking Skills Perspective
LiveUnderflow
8 Chatting about Cryptography and Exploit Regulations
Chatting about Cryptography and Exploit Regulations
LiveUnderflow
9 BUILDING AN 8-BIT COMPUTER FROM SCRATCH #1 (Full Stream)
BUILDING AN 8-BIT COMPUTER FROM SCRATCH #1 (Full Stream)
LiveUnderflow
10 BUILDING AN 8-BIT COMPUTER FROM SCRATCH #3 (Full Stream)
BUILDING AN 8-BIT COMPUTER FROM SCRATCH #3 (Full Stream)
LiveUnderflow
11 BUILDING AN 8-BIT COMPUTER FROM SCRATCH #4 (Full Stream)
BUILDING AN 8-BIT COMPUTER FROM SCRATCH #4 (Full Stream)
LiveUnderflow
12 Studying Cybersecurity in USA vs. Germany | ReHacked
Studying Cybersecurity in USA vs. Germany | ReHacked
LiveUnderflow
13 Examining JavaScript Inter-Process Communication in Firefox | Watch Together & Q&A
Examining JavaScript Inter-Process Communication in Firefox | Watch Together & Q&A
LiveUnderflow
14 Reading SECRET U.S. Air Force HACKING Document!!
Reading SECRET U.S. Air Force HACKING Document!!
LiveUnderflow
15 Why Don't Use alert(1) for XSS? | Watch Together + Q&A
Why Don't Use alert(1) for XSS? | Watch Together + Q&A
LiveUnderflow
16 Escaping from JavaScript Sandbox (AngularJS)
Escaping from JavaScript Sandbox (AngularJS)
LiveUnderflow
17 Why proofing impact for every XSS is "dumb" - Bug Bounty Reports
Why proofing impact for every XSS is "dumb" - Bug Bounty Reports
LiveUnderflow
18 Password Cracking Explained | ReHacked
Password Cracking Explained | ReHacked
LiveUnderflow
19 HTTP Desync Attack Explained With Paper
HTTP Desync Attack Explained With Paper
LiveUnderflow
20 Better than Stack Overflow for Development
Better than Stack Overflow for Development
LiveUnderflow
21 Thumbnail A/B Test Experiment for CTR
Thumbnail A/B Test Experiment for CTR
LiveUnderflow
22 How To Exploit a Heap Overflow
How To Exploit a Heap Overflow
LiveUnderflow
23 Log4Shell | Bug Bounty Public Service Announcement #shorts
Log4Shell | Bug Bounty Public Service Announcement #shorts
LiveUnderflow
24 New Details on Commercial Spyware Vendor Variston - Revisiting Firefox Sandbox Escape
New Details on Commercial Spyware Vendor Variston - Revisiting Firefox Sandbox Escape
LiveUnderflow
25 Can AI Hack Websites with XSS? #ChatGPT
Can AI Hack Websites with XSS? #ChatGPT
LiveUnderflow
26 ping Vulnerability Patch Analysis (with #ChatGPT) - CVE-2022-23093
ping Vulnerability Patch Analysis (with #ChatGPT) - CVE-2022-23093
LiveUnderflow
27 Using CodeQL to Investigate GraphQL Resolvers
Using CodeQL to Investigate GraphQL Resolvers
LiveUnderflow
28 Security Issue Found in US Gov CISA Tool?
Security Issue Found in US Gov CISA Tool?
LiveUnderflow
Using joern to Find GraphQL Authorization Issue
Using joern to Find GraphQL Authorization Issue
LiveUnderflow
30 Analytics from 7 Years on YouTube...
Analytics from 7 Years on YouTube...
LiveUnderflow
31 3D Printer Researching Igus Bearings - Prusa i3 MK3S+ (part 3)
3D Printer Researching Igus Bearings - Prusa i3 MK3S+ (part 3)
LiveOverflow
32 Attacking VSCode Extension from Browser? - Live Security Research
Attacking VSCode Extension from Browser? - Live Security Research
LiveOverflow
33 I Don't Trust Websites! - The Everything API with ChatGPT
I Don't Trust Websites! - The Everything API with ChatGPT
LiveOverflow
34 Do Hackers Need To Know Algorithms and Data Structures?
Do Hackers Need To Know Algorithms and Data Structures?
LiveOverflow
35 "Remove the video as soon as possible"
"Remove the video as soon as possible"
LiveOverflow
36 Arm®-based Video
Arm®-based Video
LiveOverflow
37 How to make good HACKING videos
How to make good HACKING videos
LiveOverflow
38 LEEROY fällt auf HACKER rein?
LEEROY fällt auf HACKER rein?
LiveOverflow
39 Hacking for an Intelligence Agency
Hacking for an Intelligence Agency
LiveOverflow
40 Tier List of My Worst Tweets
Tier List of My Worst Tweets
LiveOverflow
41 Step by Step Phishing Setup Tutorials are Unethical!
Step by Step Phishing Setup Tutorials are Unethical!
LiveOverflow
42 Hacker Reacts to 23andme Data Leak
Hacker Reacts to 23andme Data Leak
LiveOverflow

This video teaches how to use Joern to analyze code and identify GraphQL authorization issues. It covers the use of Joern's query language, code property graph analysis, and regular expressions to find unauthorized calls and decorators. The video is suitable for beginners and provides a practical introduction to code analysis and security research.

Key Takeaways
  1. Install Joern using pre-built binaries
  2. Configure Joern's JVM options
  3. Import code into Joern for analysis
  4. Use Joern's query language to find GraphQL authorization issues
  5. Analyze the abstract syntax tree (AST) to check for authorized decorators
  6. Identify the parent and children of a node in the AST
  7. Use regular expressions to find files with specific patterns
  8. Implement filter and where steps in Joern
💡 Joern's query language and code property graph analysis can be used to efficiently identify GraphQL authorization issues in a codebase.

Related Reads

Chapters (9)

Intro
0:31 Recap: Research with CodeQL
1:51 Setting Up joern
7:00 First Tests with joern
15:31 Realizing We Can Use Regex
20:06 TypeScript vs. Transpiled JavaScript
21:25 decorators in Transpiled JavaScript
35:23 Building the Query
37:24 Outro
Up next
Indian Express Editorial Analysis by Chandan Sharma - 1 JULY 2026 | UPSC Current Affairs 2026
StudyIQ IAS
Watch →