Authorization Bypass :: GraphQL Query Deny List Bypass


Problem Statement

Creating an allow-list or deny-list for GraphQL is a common technique to prevent malicious queries from being resolved by GraphQL.

In general, the allow-list approach is easier to maintain and less error-prone, since we only allow certain things we trust. It does not mean it cannot have flaws too.

The application has a deny-list mechanism implemented that attempts to reject Health queries using the systemHealth query.

The problem with this mechanism is that it does not take into consideration queries can have operation names.

Resources
Exploitation Solution