Authorization Bypass :: GraphQL Query Deny List Bypass
Problem Statement
Creating an allow-list or deny-list for GraphQL is a common technique to prevent malicious queries from
being resolved by GraphQL.
By defining an allow-list, the application server will have a "known good" queries it will allow, and
reject anything else.
By defining a deny-list, the application server will have a "known bad" queries it will reject, and allow
anything else.
In general, the allow-list approach is easier to maintain and less error-prone, since we only allow certain things we
trust. It does not mean it cannot have flaws too.
The application has a deny-list mechanism implemented that attempts to reject Health queries using the
systemHealth query.
The problem with this mechanism is that it does not take into consideration queries can have operation names.