Skip to main content

Private data

Description

According to the rules provided in the configuration file, private data can be accessed by unauthorized users.

Remediation

The best way to ensure that private data can only be accessed by authorized users is by implementing a proper access control system. To do so, access control must be applied to every object and every link in the graphQL schema.

Apollo

See Apollo's Access Control documentation. For large scale applications, you'll want to use a specific package like GraphQL Shield for quick and easy Access Control management.

Awsappsync

Appsync provides several methods for protecting critical information.

Hasura

Configuration

CheckId: access_control/private_data

Parameters

user : A list of fieldName:[scalarValues] the user should never be able to access. Set .* as fieldName to avoid the value everywhere.

{'__user': [{'**value**': ['**value**']}]}

Examples

Ignoring this check

{
"checks": {
"access_control/private_data": {
"skip": true
}
}
}

Score

  • Escape Severity: HIGH
  • OWASP: A03:2023
  • PCI DSS: 6.5.8
  • CWE
    • 200
    • 201
    • 284
    • 668
    • 1198
    • 1212
    • 1220
  • WASC: 22

CVSS

  • CVSS_VECTOR: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:H/RL:O/RC:C
  • CVSS_SCORE: 5.1

References

https://cheatsheetseries.owasp.org/cheatsheets/Authorization_Cheat_Sheet.html