Skip to content

Latest commit

 

History

History
 
 

farsight

FarSight

Category: Web

Difficulty: Easy - Medium

Author: todo#7331

Flavour

I've recently learned about graphql so I used it to build a site that lets you host markdown pages. We're still developing the application and have a few upcoming beta features!

The scope of this challenge is limited to the challenge domain only. There are autogenerated links and images to domains external to ductf. These links and images are only present to add flavour to the challenge and are NOT within scope. Do not exploit any sites outside of the ductf domain.

Description

This is largely a discovery related challenge with an access control bypass to get the flag. Player are first expected to use graphql introspection to reveal the some beta queries, fields and mutations. These beta features then have a vulnerability which allows players to bypass access controls (which are only set on the root queries and not the nodes), in order to access all info.

Writeup

A solve script can be found in ./solve

  1. The player notices that graphql is being used.
  2. The player either manually sends a introspection query to the graphql endpoint, or uses a tool such as insomnia to perform the discovery.
  3. The player noticies the presence of the importPage mutation and the ownerSite field on Site, both of which are marked as beta.
  4. The player notices the please do not store secrets message in the description of site config.
  5. It is therefore reasonable that we should snoop on other player's site descriptions.
  6. The player discovers that they can import anyone's page into their site. They import the first few pages (I think just one is enough)
  7. The player then bypasses auth checks, which are only enforced on the root query resolver, by using the ownerSite field on a imported site to access a site they do not own.
  8. The player finds the flag in the config of the site belonging to admin

Guessing

Since this is a discovery challenge there are some bits that may be a bit "guessy".

  1. Players have to guess that auth is only enforced on the root resolver. I think this is fine, as its something users should test anyway.
  2. Players have to guess to look at the first few pages (i.e. those with low ids). This may be a bit more problematic, but looking at the first few pages seems natrual.

Running

docker-compose up --build

This challenge can be shared between teams.

  • Players should only have access to create pages, page refs and accounts.
  • Teams could possibly create pages with explicit content and then have other teams import those pages.
  • Teams could login as each other if they use weak passwords.