The application implements a very basic mutation to create a new post on the blog. The mutation used is the following
If we look at the code we have a class CreatePost that will implement our logic to create a post.
The method mutate will just get the new Post object and insert an instance in the database.
Exploit
There are many ways we could exploit this, one would be to delete any post we want. If there is a createPost class there might be another class called deletePost, let's try:
Bingo! Post with id:4 was deleted. If we go back and refresh the application:
You could, of course, achieve the same goal with burp. What else can you exploit using this vulnerability?
$ sudo docker run -ti -p 127.0.0.1:5000:5000 blabla1337/owasp-skf-lab:java-graphql-mutation
mutation {
createPost(title: "This is a new title", body: "This is a new post", author_id: 2) {
id
title
body
}
}
public Post createPost(String title, String body, int user_id) throws org.hibernate.exception.GenericJDBCException{
Post post = new Post();
post.setTitle(title);
post.setBody(body);
post.setUser(new User(user_id));
postRepository.save(post);
return post;
}
