ENGLISH, FCSC, CTF, WRITEUP, WEB, SECURITY, GRAPHQL, INTROSPECTION

FCSC 2020 Write-Up - Rainbow v1 - GraphQL Introspection Exploit

May 17, 2020 Zarial

Challenge Overview

Rainbow v1 presented a dynamic search interface for finding chefs. Upon inspection, the site uses a JavaScript frontend that formats search queries and sends them to index.php?search=.

Initial Reconnaissance

Discovering GraphQL

The first step was analyzing the search parameter. I noticed it was Base64-encoded, which immediately suggested something interesting was being hidden. After decoding, i discovered an unusual JSON-like structure:

{ 
  allCooks (filter: { firstname: {like: "%%"}}) { 
    nodes { 
      firstname, 
      lastname, 
      speciality, 
      price 
    }
  }
}

This wasn’t standard JSON or SQL, it was GraphQL. Having not worked extensively with GraphQL at the time, i started researching common vulnerabilities and exploitation techniques for GraphQL APIs.

Understanding the Vulnerability

The critical issue here is that the application allows users to construct and execute arbitrary GraphQL queries. There’s no query validation or restriction on what fields can be accessed. This is a common misconfiguration in GraphQL implementations.

Exploitation

GraphQL Introspection

GraphQL has a powerful feature called introspection that allows clients to query the schema itself. This is incredibly useful for development and documentation, but when left enabled in production, it becomes a security liability.

I used the following introspection query to dump the entire schema:

{
  __schema {
    types {
      name,
      fields {
        name
      }
    }
  }
}

What this does:

__schema: The root introspection query
types: Lists all types defined in the schema
fields: Shows all fields available on each type

This revealed the complete database structure, including a particularly interesting field: allFlags.

Extracting the Flag

With the schema exposed, i crafted a new query to retrieve all flags:

{ 
  allFlags (filter: { flag: {like: "%%"}}) { 
    nodes { 
      flag
    }
  }
}

The wildcard filter %% ensures all records are returned. Executing this query immediately revealed the flag.

Conclusion

This challenge wasn’t particularly complex, the vulnerability was pretty straightforward. The application allowed users to format and execute arbitrary GraphQL queries, which is a fundamental security flaw. Combine that with introspection enabled in production, and you’ve essentially given attackers a complete map of your database schema.

References