Hasura GraphQL Engine Server-Side-Request-Forgery Scanner

The Hasura GraphQL Engine is a versatile platform widely utilized by developers to construct scalable APIs rapidly. It plays a crucial role in modern application development, allowing users to access data in real-time over a well-defined schema. This system is often deployed in conjunction with cloud-based services to power dynamic applications, integrating seamlessly within existing tech stacks. Many organizations implement Hasura GraphQL in their backend systems to enhance data retrieval efficiency and enforce data consistency across different services. The engine’s ability to translate GraphQL queries into SQL helps streamline complex data operations. Its ease of use and robust functionality make it a popular choice for enterprises seeking to modernize their API strategy.

The Server-Side Request Forgery (SSRF) vulnerability allows attackers to craft requests from vulnerable servers to unintended locations. This can lead to unauthorized disclosure of information or interaction with internal systems. In the context of web applications, SSRF can potentially allow an attacker to exploit this weakness by manipulating the server to fetch data from arbitrary sources. This vulnerability is particularly concerning as it may bypass firewalls and network isolation mechanisms. Exploiting SSRF can lead to scenarios where sensitive information is inadvertently leaked, or services are exposed to further attacks. The increasing complexity of networked services amplifies the risk associated with SSRF vulnerabilities.

The vulnerability is present in the endpoint handling the `/v1/query` requests in the Hasura GraphQL Engine. Here, specific parameters such as `url` within the request body can be manipulated to initiate requests to an attacker-controlled server. By exploiting this endpoint, an adversary can craft malicious payloads that target the internal network infrastructure. The absence of strict validation or filtering of such input parameters is a critical flaw, contributing to the effectiveness of SSRF attacks. Since the server processes these requests, it can be coerced into sending requests or accessing resources it typically should not be able to reach. This demonstrates a standard testing flaw in how external URLs are handled by the application.

If exploited, an SSRF vulnerability could have severe consequences for organizations relying on Hasura GraphQL Engine. Attackers might gain the ability to read internal system resources or access internal services that are not exposed to the public. Potential effects include unauthorized access to databases or file systems, retrieval of metadata from cloud services, or even privilege escalation attacks. SSRF's potential to pivot attacks from external networks to internal services underlines the necessity of addressing this issue promptly. Neglecting such security flaws could compromise entire network segments, resulting in significant data breaches or service disruptions.

REFERENCES

• https://cxsecurity.com/issue/WLB-2021040115