Graphql Exploitation – Part 3- Injection attacks and XSS attacks

In this blog, we will cover another type of attack on GraphQL which is also a prominent category of attack in OWASP top 10, “Injection attacks”.We will also cover the possibility of cross-site scripting (XSS) attack in GraphQL here.

Database Injection in Graphql

We know that the architecture of GraphQL needs to have a Data Source and most of the time data source is a Database Management System. When a query is received at the backend graphql resolver end, It resolves it and distinguishes the query based on the operation sets. If the operation is to get the data then graphql resolver will query the database and fetch the required data accordingly.

Source: https://www.agiliq.com/assets/images/graphql/graphql-architecture.png

When the data from GraphQL Client is trusted without any input sanitization at server’s end then there could be a possibility of SQL/NoSQL injection attack. Yes, it is very similar to SQLi and NOSQLi in REST API and all the categories of database injections are possible like blind, union etc.

Let’s understand with an example of a vulnerable GraphQL application, where SQLite database is getting used as a data source.

The query operation “dog” takes a parameter value of “namePrefix” and “limit” to show dog names containing “namePrefix” value. The “namePrefix” value is directly passed to the database query which leads to SQL injection. It is clear from the video that we are performing Boolean Based SQL injection and injection point are very clearly visible so we will not go further into explaining this type of simple SQLi exploitation. The purpose of this demo was to show the possibility of SQLi in GraphQL.

A sample Vulnerable code of this demo application is shown below. The code is located here .

Now we have understood that GraphQL can have vulnerable operations which can cause injection attacks on any type of database if not implemented securely.

Other Injection Attacks

Like Database Injection attacks, other types of injection attacks (command injection, LDAP injection etc.) could be possible depending upon the backend functionality of the application. We will not discuss those attacks here but remember to exploit them with the same payloads which you use for REST API requests.

Cross-Site Scripting (XSS) attacks

GraphQL can also be vulnerable to XSS if the output of the response is getting reflected on the screen on a web page. Both Reflected and Stored XSS are possible depending upon the vulnerable operation used (query / mutation).

Let us understand this with a demo, again we are using the same vulnerable Graphql application which you can find here .

As it is evident from the demo that if the error is getting reflected with the un-sanitized user input in frontend HTML then XSS can happen.

Now let’s try this scenario on a frontend where it queries the same request to fetch the details of Vet. Below is the HTML code which will help us to demonstrate XSS.

<html>
    <body>

        <center>
        <form class ="form", id ="myform">
            <input type="textBox" value="Input the Vet ID" name="vetid", onfocus='this.value=""'>
            <button type= submit>Submit</button>
        </form>
        <p>
        </p>
    </center>
    <script>
            var form  = document.getElementById("myform");
            form.addEventListener("submit",(e)=>{
                e.preventDefault();
                var id = document.getElementsByTagName("input")[0].value;
                fetch('http://127.0.0.1:8080/graphql', {
  method: 'POST',
  headers: {
    'Content-Type': 'application/json',
    'Accept': 'application/json',
  },
  body: JSON.stringify({query: `query{n  myInfo(veterinaryId:${id}, accessToken:"eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJhdWQiOiJwb2MiLCJzdWIiOiJEb21uaXF1ZSIsImlzcyI6IkF1dGhTeXN0ZW0iLCJleHAiOjE2MjQ1Nzk0NTd9.x7BGuCQQ-aEw6g8SrhztmxEXoy6Cfs4tn0yGzNHUVBE"){n    namen    idn    popularityn  }n}`})}).then(r => r.json()).then(data => document.getElementsByTagName("p")[0].innerHTML = JSON.stringify(data))});
        </script>

    </body>
</html>

According to the above code whatever data we will receive in response will be reflected on the front end.

If the request doesn’t work, try changing the “accesstoken” with a new one via auth() query

Let’s do it then !!!

The Payload which we used is

"<img src=x onerror=document.location='http://payatu.com'><!--"

which will redirect user to payatu.com and this confirms that XSS is possible under this type of scenarios.

Mitigations

When we talk about the mitigations to injection and XSS attack in the case of GraphQL , there is no change.

1. Use of parametrized Queries in backend application to handle user supplied data.
2. Apply input validation on data received via Query/Mutation/Subscription before use it
3. Ensure that the client rendering the data from GraphQL response apply escaping/sanitization on data before rendering them.
4. Implement proper Content-security Policy for web pages.

References

• https://graphql.org/learn/
• https://github.com/righettod/poc-graphql

About Payatu

Payatu is a Research Focused, CERT-In impaneled Cybersecurity Consulting company specializing in security assessments of IoT product ecosystem, Web application & Network with a proven track record of securing applications and infrastructure for customers across 20+ countries.

Get in touch with us. Click on the get started button below.