Private data
Description
According to the rules provided in the configuration file, private data can be accessed by unauthorized users.
Remediation
The best way to ensure that private data can only be accessed by authorized users is by implementing a proper access control system. To do so, access control must be applied to every object and every link in the graphQL schema.
GraphQL Specific
Apollo
See Apollo's Access Control documentation. For large scale applications, you'll want to use a specific package like GraphQL Shield for quick and easy Access Control management.
Hasura
See Hasura's detailed documentation for Authorization Management.
Awsappsync
Appsync provides several methods for protecting critical information.
- To learn more on implementing fine-grained access control, head over to https://docs.aws.amazon.com/appsync/latest/devguide/security-authz.html#fine-grained-access-control.
Configuration
Identifier:
access_control/private_data
Parameters
__user : A list of fieldName:[scalarValues] the user should never be able to access. Set .* as fieldName to avoid the value everywhere.
rules : (For REST) The list of private fields rules to check during a scan.
Examples
REST: Ensure user some-user retrieve an admin user on a list of users at GET /users
{
"auth": { #
... REDACTED AUTH ...
},
"users": {
... Other users ...
"some-user": { # User to check
... REDACTED AUTH ...
}
... Other users ...
}
... Other configuration settings ...
"checks": {
... Other checks ...
"AccessControl_PrivateData": {
"parameters": {
"rules": [
"user": "some-user",
"routes": [
{
"method": "GET",
"path": "/users",
"pattern": ".*admin: true.*"
}
]
]
}
}
... Other checks ...
}
... Other configuration settings ...
}
REST: Ensure user some-user cannot access the fields email with value @mycompany.com and role.group with value admin on route GET /users
{
"auth": { #
... REDACTED AUTH ...
},
"users": {
... Other users ...
"some-user": { # User to check
... REDACTED AUTH ...
}
... Other users ...
}
... Other configuration settings ...
"checks": {
... Other checks ...
"AccessControl_PrivateData: {
"parameters": {
"rules": [
"user": "some-user",
"routes": [
{
"method": "GET",
"path": "/users",
"fields": ["email"],
"pattern": "@mycompany.com"
},
{
"method": "GET",
"path": "/users",
"fields": ["role.group"],
"pattern": "admin"
}
]
]
}
}
... Other checks ...
}
... Other configuration settings ...
}
REST: Ensure user some-user cannot access a field admin-* on route GET /admin
{
"auth": { #
... REDACTED AUTH ...
},
"users": {
... Other users ...
"some-user": { # User to check
... REDACTED AUTH ...
}
... Other users ...
}
... Other configuration settings ...
"checks": {
... Other checks ...
"AccessControl_PrivateData: {
"parameters": {
"rules": [
"user": "some-user",
"routes": [
{
"method": "GET",
"path": "/admin",
"fields": ["admin-*"],
"pattern": ".*"
}
]
]
}
}
... Other checks ...
}
... Other configuration settings ...
}
Ignore this check
{
"checks": {
"access_control/private_data": {
"skip": true
}
}
}
Score
- Escape Severity: HIGH
- OWASP: API3:2023
- PCI DSS: 6.5.8
- CWE
- 200
- 201
- 284
- 668
- 1198
- 1212
- 1220
- WASC: WASC-22
CVSS
- CVSS_VECTOR: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:H/RL:O/RC:C
- CVSS_SCORE: 5.1