IDOR Vulnerability In GraphQL Api On Website

Image Source: https://threatpost.com/how-to-bug-bounties/165657/
  1. There is a lack of authentication error in Graphql Api while retrieving the file and then sending it to the destination email.
    Why this happened?
    Because in “operation”:”sendEmail” Graphql API only check “[Path]Id” and uncheck “[Path]Hash” .

--

--

--

Pemburu Bug & Pengujian Penetrasi

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

CORONA CRYPTO AIRDROP

Build and deploy a simple Apollo GraphQL federated schema using AWS EKS (Kubernetes)-Pt.2

Data Privacy and Governance in IoT and Smart Homes

6 easy steps to register for a Digix account

“How to Choose Your VPN?” (From our Forums.)

Which Is More Effective Against Phishing Attacks — Area 1 or a SEG?

Realism Endures: Why States Seek Digital Arms and Will Continue to Do So

Fake FBI emails warning of sophisticated attack part of “ongoing situation, “ agency says

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Aidil Arief

Aidil Arief

Pemburu Bug & Pengujian Penetrasi

More from Medium

How to Exploit Public Firebase Realtime Database using REST API

Exploiting S3 bucket with path folder to Access PII info of A BANK

Tackling CVE-2021–41277 Using a Vulnerability Database

File Upload to RCE