Fork me on GitHub

Q: I’ve been using ZAP to scan a Lacinia API for vulnerabilities. One that turned up is which can be triggered by passing <script>alert(1);</script> in a query enum variable value


this doesn’t reach my resolvers because it doesn’t match the schema so the Lacinia parse rejects it but returns the value back to the client


while it’s low risk for a GraphQL response, I’d prefer to suppress this reflection


I can think of 1 way : an interceptor that detects/removes the <script> tag.


has anyone else dealt with or fixed this in some idiomatic way?


hmm, an interceptor doesn’t see the :extensions data in the response. does anyone know how I can access/transform the :extensions / :errors data in a response?


scratch that, an interceptor can see the :errors in the JSON response body. I’d prefer to do this transformation earlier i.e. before it’s converted to JSON. looking into that next

Lennart Buit10:03:26

Just out of interest, how would this attack work?


@UDF11HLKC I don’t know and, because I control the client, it’s very unlikely. That said: 1/ I don’t assume I know all the hacker tricks 2/ this is for a security audit so I want a clean scan to make that go smoothly


I was able to inject an interceptor :after the json-body interceptor and redact these script tags so that’s one down