The value of the GET parameter query is returned unescaped in the main block of inline JavaScript. Without Content Security Policy (CSP), one is able to break out of the config variable and execute arbitrary JavaScript.
It appears that graphiql_workspace.html.eex renders the page with the query_string variable. This template is loaded by Absinthe.Plug.GraphiQL which attempts to escape the query parameter. It is trivial to bypass this escaping with a backslash.
Steps to Reproduce
- Browse
/api/v2_alpha/graphiql?query=xxx\%27});confirm(document.domain);%20var%20x=new%20graphiqlWorkspace.AppConfig(%22x%22,{//.
- Observe the JavaScript alert dialog with the value of
document.domain.
Credits
40826d uncovered this vulnerability and wrote the initial draft of this bug report
The value of the GET parameter query is returned unescaped in the main block of inline JavaScript. Without Content Security Policy (CSP), one is able to break out of the config variable and execute arbitrary JavaScript.
It appears that
graphiql_workspace.html.eexrenders the page with thequery_stringvariable. This template is loaded byAbsinthe.Plug.GraphiQLwhich attempts to escape the query parameter. It is trivial to bypass this escaping with a backslash.Steps to Reproduce
/api/v2_alpha/graphiql?query=xxx\%27});confirm(document.domain);%20var%20x=new%20graphiqlWorkspace.AppConfig(%22x%22,{//.document.domain.Credits
40826d uncovered this vulnerability and wrote the initial draft of this bug report