$1000 Bug using simple Graphql Introspection query

Welcome to my blog! In this post, I will be discussing my experience in the security testing of an application’s implementation of multi-factor authentication (MFA). As part of my testing process, I attempted to bypass the Password protection to get the Recovery code. In the following article, I will share the details of my testing process and the results of my efforts to bypass the Authentication. If you are interested in learning about MFA security and potential vulnerabilities, I encourage you to keep reading.

Tetsing Methodology - Captcha Bypass : https://securitycipher.com/docs/captcha-bypass/

Testing Methodology — Graphql : https://securitycipher.com/docs/graphql-inprogress/

What is GraphQL

GraphQL is a query language for your API that allows clients to request exactly the data they need, and nothing more. It was developed by Facebook and has become increasingly popular in recent years as an alternative to REST APIs. One of the main benefits of GraphQL is its flexibility, as it allows clients to request multiple resources in a single request and receive a response that matches the exact shape of their request. This means that clients don’t have to worry about over- or under-fetching data, as they can specify exactly what they need. Additionally, GraphQL has a strong and active community of developers who are constantly working to improve the language and its tooling. With its many benefits and a vibrant community of supporters, it’s no wonder that GraphQL has become such a popular choice for APIs.

GraphQL Introspection query

GraphQL introspection is a feature that enables users to discover the capabilities of a GraphQL API by querying the API itself. This includes information about the types, fields, and queries that are supported by the API. By using an introspection query, developers can learn more about the structure and capabilities of a GraphQL API without having to refer to external documentation. This can be especially useful when working with large, complex APIs that have many different types and fields. To optimize for search engines, it’s important to include relevant keywords in the paragraph, such as “GraphQL,” “introspection,” “query,” “API,” “types,” “fields,” and “queries.” Additionally, using clear and concise language can help improve readability and make the content more accessible to a wider audience.

How to perform introspection in GraphQL

This is the full request to perform your GraphQL introspection on your target (if enabled):

Send a POST request with the below body.

{"query": "query IntrospectionQuery{__schema{queryType{name}mutationType{name}subscriptionType{name}types{...FullType}directives{name description locations args{...InputValue}}}}fragment FullType on __Type{kind name description fields(includeDeprecated:true){name description args{...InputValue}type{...TypeRef}isDeprecated deprecationReason}inputFields{...InputValue}interfaces{...TypeRef}enumValues(includeDeprecated:true){name description isDeprecated deprecationReason}possibleTypes{...TypeRef}}fragment InputValue on __InputValue{name description type{...TypeRef}defaultValue}fragment TypeRef on __Type{kind name ofType{kind name ofType{kind name ofType{kind name ofType{kind name ofType{kind name ofType{kind name ofType{kind name}}}}}}}}"}

The server should respond with the full schema (query, mutation, objects, fields…). Even if the schema is displayed in JSON, it can be quickly unreadable. First, extract the JSON response in a file. In my opinion, once you have the schema, the best way is to import it into a tool like “GraphQL Voyager”.

Tools I have used

Burpsuite Pro

Burp Suite Extension: InQL Scanner

How I got this vulnerability

I spent a significant amount of time crawling the application but was unable to find any vulnerabilities.

Photo by Nik Shuliahin 💛💙 on Unsplash

As a next step, I decided to test the application’s implementation of multi-factor authentication (MFA) by enabling it. Upon enabling MFA, I noticed that the application displayed a recovery code that I could use to log in in the event that I was unable to provide the required MFA input.

I was curious, so I attempted to access the recovery codes again. I clicked on the recovery codes option and a pop-up appeared, prompting me to enter a password. This made me wonder if it was possible to access the recovery codes without providing the password.

Now I opened the InQl Scanner Burp Suite extension and attempted to run an introspection query.

I have just put the applications graphql endpoint and clicked on load.

In the response, I was able to get all the query which are related to the application.

Sample Query of dummy application

While reviewing the queries, I came across one query which was related to recovery codes and then I decided to test it. I just copied the query and then pasted that in the repeater. To my surprise, in the response, I got the recovery code without requiring a password. Finally, I discovered a way to obtain recovery codes without providing the required password.

Photo by Alexander Mils on Unsplash

At long last, they acknowledged the bug, and I received a bounty along with a bonus for my discovery.

Follow me on:

Twitter: https://twitter.com/piyush-kumawat

Linkedin: https://linkedin.com/piyush-kumawat

Website: https://securitycipher.com