API Security Academy logo

API Security Academy

API Security Academy by Escape
About Escape The GraphQL Security Blog Scan your API for free

Welcome on board 👋

API Security Academy provides hands-on, interactive lessons that teach various vulnerabilities and best practices in GraphQL security. You can access its full learning potential directly in your browser.

Each lesson is built around a WebContainer containing a live GraphQL application, so you'll not only understand why a vulnerability is risky, but also how to exploit it and, most importantly, how to fix it.

Want to get notified about new lessons?

Feel free to jump in and start your first lesson. Happy learning! 🔒

Lessons

0/9
Cup
Categories:
Access Control
Easy
OWASP
API2:2023

Prevent Mutation Brute-Force Attacks

Understand how to mitigate brute-force attacks targeting GraphQL authentication mutations for enhanced security.

by
  • Escape
Start
Access Control
Easy
OWASP
API1:2023

Implement Object-Level Authorization

Master the essentials of object-level authorization for secure data access and improved application security.

by
  • Escape
Start
Information Disclosure
Easy
OWASP
API7:2023

Disable Debug Mode for Production

Explore the importance of turning off debug mode in a production environment to safeguard against unwanted information disclosure.

by
  • Escape
Start
Injection
Easy
OWASP
API8:2019

Combat SQL Injections

Delve into the mechanisms of SQL injections—how to exploit them and the strategies for preventing this enduring vulnerability.

by
  • Escape
Start
Complexity
Easy
OWASP
API4:2023

Limit Query Complexity

Discover techniques to restrict expensive queries using GraphQL Armor, enhancing performance and security.

by
  • Escape
Start
Access Control
Medium
OWASP
API4:2023

Implement Field-Level Authorization

Master the essentials of setting up field-level authorization in GraphQL resolvers for fine-grained access control.

by
  • Escape
Start
HTTP
Medium
OWASP
API7:2023

Configure HTTP Headers for User Protection

Understand the role of the Access-Control-Allow-Origin header in safeguarding users from cross-site request forgery (CSRF) attacks.

by
  • Escape
Start
Injection
Medium
OWASP
API8:2019

Validate JSON Inputs

Explore techniques for validating JSON input objects to mitigate the risk of injection vulnerabilities.

by
  • Escape
Start
Access Control
Hard
OWASP
API5:2023

Implement Resolver-Level Authorization

Master techniques for setting up authorization specifically tailored for GraphQL mutations, enhancing both data integrity and security.

by
  • Escape
Start
Injection
Easy
OWASP
API6:2023

Mitigate Server Side Request Forgery

Grasp the fundamentals of Server Side Request Forgery (SSRF) and the measures to effectively prevent this vulnerability.

Coming soon
DoS
Medium
OWASP
API8:2023

Implement Rate-Limiting for Bot Deterrence

Uncover the importance of rate-limiting as a mechanism to deter automated threats and bots from abusing your API.

Coming soon
DoS
Hard
OWASP
API4:2023

Abort Expensive Queries for Database Protection

Discover how to identify and terminate resource-intensive queries, thereby safeguarding your database from undue stress.

Coming soon
Access Control
Hard
OWASP
API9:2023

Configure a Secure API Gateway

Understand the importance of a well-configured gateway to prevent unauthorized access to your underlying API.

Coming soon
Complexity
Hard
OWASP
API4:2023

Limit Query Batching to Safeguard Resources

Explore strategies to cap query batching, thereby minimizing the risk of resource depletion and enhancing API stability.

Coming soon
Complexity
Hard
OWASP
API4:2023

Implement List Pagination

Discover how implementing pagination for list results can lead to optimized database performance and resource usage.

Coming soon
Injection
Hard
OWASP
API10:2023

Secure Third-Party API Interactions

Learn to safeguard against injection risks when interacting with APIs that return user-provided data.

Coming soon