Improper access control

API Platform version from 2.2.0 to 2.3.5 contains an Incorrect Access Control vulnerability in GraphQL delete mutations that can result in a user authorized to delete a resource can delete any resource. This attack appears to be exploitable via the user must be authorized. This vulnerability...

CVE-2019-1000011

API Platform version from 2.2.0 to 2.3.5 contains an Incorrect Access Control vulnerability in GraphQL delete mutations that can result in a user authorized to delete a resource can delete any resource. This attack appears to be exploitable via the user must be authorized. This vulnerability...

CVE-2019-1000011

CVE-2019-1000011 affects API Platform core (PHP) 2.2.0–2.3.5, due to an Incorrect Access Control flaw in GraphQL delete mutations. The vulnerability allows a user who is authorized to delete a resource to delete any resource. The issue’s impact and existence are documented in multiple sources (in...

Improper Access Control

API Platform contains an Incorrect Access Control vulnerability in GraphQL delete mutations that can result in a user authorized to delete a resource can delete any resource. This attack appears to be exploitable via the user must be authorized...

HackerOne: Confidential data of users and limited metadata of programs and reports accessible via GraphQL

Summary: The GraphQL endpoint doesn't have access controls implemented properly. Description: Any attacker can get personally identifiable information of users of Hackerone such as email address, backup hash codes, facebookuserid, accountrecoveryphonenumberverifiedat, totpenabled, etc. These are...

Shopify: Bypass GraphQL rate limit by abusing negative cost queries

Hi security team, While looking into the graphql app I noticed an interesting implementation where each app has a bucket of query cost they are allowed to used in a given time with a certain refresh rate associated with it. The details can be found at...

CVE-2019-1000011: Access control bypass in GraphQL mutations

Q A Bug fix? yes New feature? no BC breaks? no Deprecations? no Tests pass? yes Fixed tickets 2364 License MIT Doc PR This prevents passing IRIs belonging to different resource classes, which would bypass access control in some instances see 2364...

CVE-2019-1000011: Access control bypass in GraphQL mutations

| Q | A | ------------- | --- | Bug fix? | yes | New feature? | no | BC breaks? | no | Deprecations? | no | Tests pass? | yes | Fixed tickets | 2364 | License | MIT | Doc PR | This prevents passing IRIs belonging to different resource classes, which would bypass access control in some instances s...

HackerOne: Response program can display "eligible for bounty" in scope area in program policy

Hello Hackerone Team and @jobert First of all, Happy new year to everyone. Summary Response program can also display "eligible for bounty" assets on program policy. It's basically causing from backend in terms of GRAPHQL mutation query for eligible in bounty:true which stays forever on response...

Starbucks: Bug in GraphQL and API integration leads to limited user address disclosure

A modified GraphQL query to fetch a user's address book entries led to a limited disclosure of user address book entries. The modified query resulted in a backend API request with undefined as a parameter. The response contained address lists of accounts with a username of undefined. We were not...

HackerOne: Response program can create bounty table

Summary: Follow h1 document https://docs.hackerone.com/programs/bounty-tables.htmlgatsby, create bounty table only available for bounty program. Description: Step1: Create request to graphql entrypoint Step2: Change team id in parameter like this: "teamid":"Z2lkOi8vaGFja2Vyb25lL1RlYW0vMzYyOTE="...

SS-2018-007: CSRF vulnerability in graphql

More info at https://www.silverstripe.org/download/security-releases/ss-2018-007/...

HackerOne: Embedded submission form UUIDs can be enumerated through GraphQL node interface, exposing sensitive program details

It's possible for an attacker to enumerate embedded submission form UUIDs through HackerOne's GraphQL node interface. In normal application behavior, an embedded submission form is queried through GraphQL with a UUID. These UUIDs are random and they're not susceptible to brute force attacks...

HackerOne: SQL injection in GraphQL endpoint through embedded_submission_form_uuid parameter

The embeddedsubmissionformuuid parameter in the /graphql endpoint is vulnerable to a SQL injection. Execute the following command to reproduce the behavior: Locally: curl -X POST http://localhost:8080/graphql?embeddedsubmissionformuuid=1%27%3BSELECT%201%3BSELECT%20pgsleep\30%3B--%27...

Shopify: H1514 Get access to non public information by pivoting with graphql queries

Hi security team, Summary: It is possible to pivot with queries to get access to information you shouldn't have access to according to docs located at https://help.shopify.com/en/api/graphql-admin-api/reference/queryroot Description: I will try to write up all the ones I can find related to...

API Gateway -- Secure API Traffic with OAuth 2.0 and Cache GraphQL Responses

APIs are the connective tissue between software and modern digital experiences, and they must be exposed to consumers in a way that prevents misuse. This means your APIs must have appropriate governance authorization, authentication, quota management policies to prevent consumers from abusing API...

Shopify: H1514 [beerify.shopifycloud.com] GraphQL discloses internal beer consumption

Hi security team, Summary: With great pleasure we would like to report that we have discovered a GraqhQL endpoint that discloses internal beer consumption at your offices. Description: This endpoint is leaking internal app details about how much beer you have left on any given day. Steps To...

HackerOne: Revoking user session in https://hackerone.com/settings/sessions does not revoke the GraphQL query session

Hi Team, Summary: I have found an Insufficient Session Expiration on implementation of the new Revoke user session feature of HackerOne here: https://hackerone.com/settings/sessions Description: The new REVOKE session feature will destroy the session of the selected device, that means any request...

Shopify: Using GraphQL, STAFF with NO explicit permissions on Store can retrieve Shopify Payments Balance.

Hi, I am reporting this because it looks like a authorization bug in GraphQL. A staff member having no explicit permissions on a Shopify Store may be able to retrieve the Current balances in all currencies for the account for Shopify Payments. Steps 1. STAFF account is created and assigned NO...

Shopify: Some store settings/data are accessible to "No Access" permission users on GraphQL LiveView operation

Summary GraphQL LiveView operation doesn't properly check for permissions before returning data. This allows "No Access" users to access some store settings and data by providing complete Shop schema fields in the request string. Steps to reproduce 1. Log into an attacker account of a test store...