Skip to main content

Private data

Description

According to the rules provided in the configuration file, private data can be accessed by unauthorized users.

Remediation

The best way to ensure that private data can only be accessed by authorized users is by implementing a proper access control system. To do so, access control must be applied to every object and every link in the graphQL schema.

GraphQL Specific

Apollo

See Apollo's Access Control documentation. For large scale applications, you'll want to use a specific package like GraphQL Shield for quick and easy Access Control management.

Hasura
Awsappsync

Appsync provides several methods for protecting critical information.

Configuration

Identifier: access_control/private_data

Parameters

__user : A list of fieldName:[scalarValues] the user should never be able to access. Set .* as fieldName to avoid the value everywhere.

rules : (For REST) The list of private fields rules to check during a scan.

Examples

REST: Ensure user some-user retrieve an admin user on a list of users at GET /users

{
"auth": { #
... REDACTED AUTH ...
},
"users": {
... Other users ...
"some-user": { # User to check
... REDACTED AUTH ...
}
... Other users ...
}
... Other configuration settings ...

"checks": {

... Other checks ...

"AccessControl_PrivateData": {
"parameters": {
"rules": [
"user": "some-user",
"routes": [
{
"method": "GET",
"path": "/users",
"pattern": ".*admin: true.*"
}
]
]
}
}

... Other checks ...
}

... Other configuration settings ...
}

REST: Ensure user some-user cannot access the fields email with value @mycompany.com and role.group with value admin on route GET /users

{
"auth": { #
... REDACTED AUTH ...
},
"users": {
... Other users ...
"some-user": { # User to check
... REDACTED AUTH ...
}
... Other users ...
}
... Other configuration settings ...

"checks": {

... Other checks ...

"AccessControl_PrivateData: {
"parameters": {
"rules": [
"user": "some-user",
"routes": [
{
"method": "GET",
"path": "/users",
"fields": ["email"],
"pattern": "@mycompany.com"
},
{
"method": "GET",
"path": "/users",
"fields": ["role.group"],
"pattern": "admin"
}
]
]
}
}

... Other checks ...
}

... Other configuration settings ...
}

REST: Ensure user some-user cannot access a field admin-* on route GET /admin

{
"auth": { #
... REDACTED AUTH ...
},
"users": {
... Other users ...
"some-user": { # User to check
... REDACTED AUTH ...
}
... Other users ...
}
... Other configuration settings ...

"checks": {

... Other checks ...

"AccessControl_PrivateData: {
"parameters": {
"rules": [
"user": "some-user",
"routes": [
{
"method": "GET",
"path": "/admin",
"fields": ["admin-*"],
"pattern": ".*"
}
]
]
}
}

... Other checks ...
}

... Other configuration settings ...
}

Ignore this check

{
"checks": {
"access_control/private_data": {
"skip": true
}
}
}

Score

  • Escape Severity: HIGH
    • OWASP: API3:2023
    • PCI DSS: 6.5.8
    • CWE
      • 200
      • 201
      • 284
      • 668
      • 1198
      • 1212
      • 1220
    • WASC: WASC-22

CVSS

  • CVSS_VECTOR: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:H/RL:O/RC:C
  • CVSS_SCORE: 5.1

References