Injection :: Log Injection // Log Spoofing


Problem Statement

GraphQL actions such as mutation and query have the ability to take an operation name as part of the query. Here is an example query that uses MyName as an operation name:

query MyName {
    getMyName
    {
      first
      last
    }
  } 

The application is keeping track of all queries and mutations users are executing on this system in order to display them in the audit log.

However, the application is not doing a fair job at verifying the operation name.

Resources
Exploitation Solution