mayakoneval
commented
1 year ago Hello, thanks so much for surfacing this. I am in the process of investigating and hopefully disabling the ability to set the endpoint via query parameter. I will update when a change has been made.
Issue Description
apollo-server supports displaying remote Connection definitions through the ?endpoint parameter. This enables robust demonstration capabilities on sites like https://studio.apollographql.com/ .
However, this functionality may pose a risk for users who host their own apollo-server instances. In particular, including remote GraphQL definitions opens a vector for phishing attacks by abusing the trusted names/domains of self-hosted instances.
An example scenario abusing this functionality could take the following form:
https://example.com/api/graphql hosts a version of apollo-server with ?endpoint = query parameter enabled. Users will trust the domain https://example.com and the contents of the GraphQL definition. A malicious actor may craft a similar GraphQL definition and service that responds to the defined APIs at https://evil.com. Users mistakenly click a phishing URL like https://example.com/api-docs?endpoint =https://evil.com/fakeapi.yaml and enters sensitive data.
We do want to stress that this attack vector is limited to scenarios that actively trick users into divulging sensitive information. The ease of this is highly contextual and, therefore, the threat model may be different for individual users and organizations. It is not possible to perform non-interactive attacks (e.g., cross-site scripting or code injection) through this mechanism.
Link to Reproduction
N/A
Reproduction Steps
No response