Burp, Bots, and Broken APIs: AI powered GraphQL Exploitation
AI & Data Innovation
TalkSession Code
Sess-139Day 3
9:15 - 9:45 EST
About the Session
AI-Powered GraphQL Exploitation with Burp" GraphQL has rapidly become the API layer of choice for modern web applications — and with it, a whole new attack surface has emerged. But testing GraphQL endpoints remains frustratingly manual, repetitive, and schema-dependent. This talk introduces GraphQL Security Tester, a Burp Suite extension that brings intelligent automation to GraphQL pentesting by combining introspection techniques with GPT-powered exploit generation. In this session, we’ll walk through the architecture, capabilities, and real-world use cases of the tool: Automated schema extraction via introspection or manual input AI-generated malicious queries and mutations targeting: SQL injection Authorization and privilege escalation Input validation bypasses Deep recursion for DoS Sensitive data exposure Live demo: From schema to shell — generating, executing, and analyzing GraphQL attacks in Burp Design decisions: How we scoped GPT prompts to stay focused, safe, and syntactically accurate Lessons learned: Challenges in using LLMs for security payload generation and where automation still needs a human in the loop The talk is designed for red teamers, API testers, bug bounty hunters, and anyone tired of hand-crafting GraphQL payloads. Attendees will walk away with a powerful new extension in their Burp arsenal, a deeper understanding of GraphQL security gaps, and inspiration to combine AI with offensive tooling in meaningful ways. Bonus: All code will be open-sourced and shared during the session