GraphQL monitoring to critical vulnerability
Monitoring GraphQL endpoint changes through Orion helped us identify a critical on a real environment within few hours.
Monitoring GraphQL endpoint changes through Orion helped us identify a critical on a real environment within few hours.
As security professionals, we understand that applications are constantly changing. New features and updates are a regular occurrence, particularly in larger enterprises. At Ophion, we currently monitor 50+ companies' assets and systems, enabling us to identify changes as they happen. While initially done to stress-test our product, this has resulted in some fun change detection and vulnerabilities. We're often aware of new updates and features before the security team and even before the organization itself. We saw a great example of that last week.
After reviewing all the findings by Orion, we noticed that a new GraphQL query was available for one of the monitored organization's products. This was interesting because the product itself was old. It was released before 2018, and the GraphQL endpoint had not received any new changes. When testing the query, it turns out it was unauthenticated and would take a user ID and return some sensitive PII of all users. This included things as sensitive as driver's license number, car make and model, phone number, address, and insurance details for the user.
This was fun because all it took was seeing the finding in Orion, testing it, and having a critical vulnerability to report in less than 20 minutes.