Skip to content

Latest commit

 

History

History
67 lines (66 loc) · 10 KB

TOPGRAPHQL.md

File metadata and controls

67 lines (66 loc) · 10 KB
Raw

Top GraphQL reports from HackerOne:

  1. Confidential data of users and limited metadata of programs and reports accessible via GraphQL to HackerOne - 996 upvotes, $0
  2. Email address of any user can be queried on Report Invitation GraphQL type when username is known to HackerOne - 632 upvotes, $0
  3. Private list members disclosure via GraphQL to X (Formerly Twitter) - 327 upvotes, $0
  4. SSRF in graphQL query (pwapi.ex2b.com) to EXNESS - 223 upvotes, $3000
  5. Github Apps can use Scoped-User-To-Server Tokens to Obtain Full Access to User's Projects in Project V2 GraphQL api to GitHub - 185 upvotes, $20000
  6. Disclosure of payment_transactions for programs via GraphQL query to HackerOne - 171 upvotes, $0
  7. GraphQL AdminGenerateSessionPayload is leaked to staff with no permission to Shopify - 168 upvotes, $0
  8. SQL injection in GraphQL endpoint through embedded_submission_form_uuid parameter to HackerOne - 150 upvotes, $0
  9. Team object in GraphQL disclosed private_comment to HackerOne - 141 upvotes, $2500
  10. Undocumented fileCopy GraphQL API to Shopify - 140 upvotes, $2000
  11. Unauthorized user can obtain report_sources attribute through Team GraphQL object to HackerOne - 137 upvotes, $2500
  12. Bug in GraphQL and API integration leads to limited user address disclosure to Starbucks - 136 upvotes, $0
  13. Private program disclosure via vpn_suspended GraphQL query to HackerOne - 131 upvotes, $2500
  14. IDOR on GraphQL queries BillingDocumentDownload and BillDetails to Shopify - 107 upvotes, $5000
  15. GraphQL field on Team node can be used to determine if External Program runs invite-only program to HackerOne - 99 upvotes, $0
  16. Team object in GraphQL disclosed total number of whitelisted hackers to HackerOne - 86 upvotes, $2500
  17. Private information exposed through GraphQL filters to HackerOne - 76 upvotes, $0
  18. Team object in GraphQL discloses team group names and permissions to HackerOne - 70 upvotes, $2500
  19. Cross-Tenant IDOR ( graphql AddRulesToPixelEvents query ) allowing to add, update, and delete rules of any Pixel events on the platform to TikTok - 70 upvotes, $0
  20. Team object in GraphQL disclosed of private programs via the industry to HackerOne - 68 upvotes, $500
  21. Attachment object in GraphQL continues to grant access to files, even if they are removed from rendering to HackerOne - 64 upvotes, $0
  22. Using GraphQL, STAFF with NO explicit permissions on Store can retrieve Shopify Payments Balance. to Shopify - 60 upvotes, $0
  23. GraphQL query "namespace" leaks data to GitLab - 58 upvotes, $0
  24. TeamProfile exposes partially sensitive information through GraphQL to HackerOne - 57 upvotes, $0
  25. Image queue default key of 'None' and GraphQL unhandled type exception to Reddit - 56 upvotes, $500
  26. H1514 [beerify.shopifycloud.com] GraphQL discloses internal beer consumption to Shopify - 54 upvotes, $802
  27. Access to internal info via Graphql on https://tng-api.watsons.com.my to A.S. Watson Group - 49 upvotes, $0
  28. Embedded submission form UUIDs can be enumerated through GraphQL node interface, exposing sensitive program details to HackerOne - 47 upvotes, $0
  29. Graphql introspection is enabled and leaks details about the schema to On - 47 upvotes, $0
  30. [h1-2102] [Yaworski's Broskis] Low privilege user can read POS PINs via graphql and elevate his privilege to Shopify - 45 upvotes, $0
  31. Access to information about any video and its owner via GraphQL endpoint [dictor.mail.ru] to Mail.ru - 42 upvotes, $2500
  32. Revoking user session in https://hackerone.com/settings/sessions does not revoke the GraphQL query session to HackerOne - 42 upvotes, $500
  33. RC Between GitHub's Repo Transfer REST API and updateTeamsRepository GraphQL Mutation Results in Covert and Persistent Admin Access Retention to GitHub - 41 upvotes, $4000
  34. GraphQL node interface for ActiveResource models lacks encoding for resource identifier, enabling parameter injection in Payments backend to HackerOne - 41 upvotes, $0
  35. Inadequate redaction exposes sensitive information via the “ShareReportViaEmail" GraphQL endpoint to HackerOne - 40 upvotes, $0
  36. Team object in GraphQL that have a published external program may expose existence of a private program to HackerOne - 38 upvotes, $0
  37. A deactivated user can access data through GraphQL to GitLab - 37 upvotes, $1370
  38. [h1-2102] shopApps query from the graphql at /users/api returns all existing created apps, including private ones to Shopify - 32 upvotes, $1900
  39. HackerOne Pentesters can access any structured scope object through GraphQL node interface to HackerOne - 29 upvotes, $0
  40. Hacker can bypass minimum bounty amount restrictions in "invitation preferences" setting via UpdateInvitationPreferencesMutation GraphQL operation to HackerOne - 28 upvotes, $0
  41. Private information exposed through GraphQL search endpoints aggregates to HackerOne - 28 upvotes, $0
  42. Able to leak private email of any user given his/her username via graphql to GitLab - 27 upvotes, $0
  43. User object in GraphQL exposes number of trial reports for External Programs that also have a Private Program to HackerOne - 24 upvotes, $0
  44. Disabled account can still use GraphQL endpoint to HackerOne - 22 upvotes, $0
  45. Staff can use BULK_OPERATIONS_FINISH webhook topic using Graphql without permissions all to Shopify - 22 upvotes, $0
  46. Bypass GraphQL rate limit by abusing negative cost queries to Shopify - 20 upvotes, $0
  47. STAFF member with NO Explicit permissions can view ActivityFeed via GraphQL to Shopify - 20 upvotes, $0
  48. GRAPHQL cross-tenant IDOR giving write access thought the operation UpdateAtlasApplicationPerson to Stripe - 20 upvotes, $0
  49. Introspection query leaks sensitive graphql system information. to HackerOne - 18 upvotes, $0
  50. Private System Note Disclosure using GraphQL to GitLab - 17 upvotes, $1000
  51. Graphql: Sorting the reports by jira_status field resulted to different value to HackerOne - 17 upvotes, $0
  52. Changes to data in a CVE request after draft via GraphQL query to HackerOne - 14 upvotes, $0
  53. Insufficient Type Check on GraphQL leading to Maintainer delete repository to GitLab - 13 upvotes, $4000
  54. ReDoS at wiki.cs.money graphQL endpoint (AND probably a kind of command injection) to CS Money - 13 upvotes, $250
  55. GraphQL introspection query works through unauthenticated WebSocket to Nuri - 12 upvotes, $0
  56. GraphQL Query leads to sensitive information disclosure to GitLab - 12 upvotes, $0
  57. H1514 Get access to non public information by pivoting with graphql queries to Shopify - 11 upvotes, $1500
  58. Deleting someone else's profile image with a GraphQL query in programming education service (https://entry.line.me) to LY Corporation - 11 upvotes, $0
  59. GraphQL sessions aren't immediately invalidated when user password is changed to HackerOne - 9 upvotes, $0
  60. [h1-2102] Stored XSS in product description via productUpdate GraphQL query leads to XSS at handshake-web-internal.shopifycloud.com/products/[ID] to Shopify - 6 upvotes, $1600
  61. [NR Infrastructure] Bypass of #200576 through GraphQL query abuse - allows restricted user access to root account license key to New Relic - 5 upvotes, $750
  62. Restricted user can update Apdex target for applications by leveraging the GraphQL mutation to New Relic - 4 upvotes, $0
  63. Getting API access key Through Introspection query Graphql to New Relic - 4 upvotes, $0
  64. Cross-account reading of Insights dashboards through GraphQL to New Relic - 3 upvotes, $0
  65. Some store settings/data are accessible to "No Access" permission users on GraphQL LiveView operation to Shopify - 2 upvotes, $0