added header
This commit is contained in:
parent
3cd54f0796
commit
199c17377e
@ -325,7 +325,7 @@ Mutation could even lead to account take over trying to modify other account dat
|
||||
"query":"mutation updateProfile($username: String!,...){updateProfile(username: $username,...){...}}"
|
||||
}
|
||||
```
|
||||
|
||||
### Bypass authorization in GraphQL
|
||||
[Chaining queries](https://s1n1st3r.gitbook.io/theb10g/graphql-query-authentication-bypass-vuln) together can bypass a weak authentication system.
|
||||
|
||||
In the below example you can see that the operation is "forgotPassword" and that it should only execute the forgotPassword query associated with it. This can be bypassed by adding a query to the end, in this case we add "register" and a user variable for the system to register as a new user.
|
||||
|
Loading…
Reference in New Issue
Block a user