Recon: cURL and Altair discrepancy?

Question

Recon: cURL and Altair discrepancy?

Closed this issue a year ago · 4 comments

Hello Graphers!

I'm performing recon on a public BBP target that uses GraphQL technology. I prefer not to disclose the company name publicly here on GitHub at this stage yet, perhaps in the future. So I will use a random example in its place instead. This public BBP target requires three headers to work with cURL.

# cURL random example

$ curl -X POST https://api.DOMAIN.com:666 \
-d '{"query":"{__typename}"}' \
-H "Origin: https://www.DOMAIN.com" \
-H "Content-Type: application/json" \
-H "Authorization: Bearer ey--SNIP--"

# Response
{"data":{"__typename":"Query"}}

Everything looks normal when compared to how the DVGA app responds to this cURL command but without headers. But when I try to perform the same GraphQL query in Altair with the same headers then I'm not authorized to run this query.

Is this a normal behavior on hardened production servers?

I even tried to insert all possible headers I could find from Burp Proxy tool. But still the same 401 Unauthorized response.

# Altair

query {
  __typename
}

# Response: 401 Unauthorized
{
  "data": null,
  "errors": [
    {
      "code": "not_authorized",
      "message": "Authorization Required"
    }
  ]
}

dolevf commented a year ago

Sure.

Answer 1 · 2023-09-16T20:29:07.000Z

Random thought, have you tried changing the user agent as well in altair to something generic?

Answer 2 · 2023-09-17T09:13:51.000Z

@dolevf Good call, it was the only header which I didn't include in cURL or Altair of all the 20 something headers. I poked around with it but didn't see any major differences.

When looking at Altair's response headers. I'm suspecting that I have to do some CORS content-length (CL) numbers manipulation, in order for Altair to accept the request which worked on cURL.

# Burp cURL link: 2023 Sep 17

curl -i -s -k -X $'POST' \
--SNIP--
-H $'Content-Length: 397' \
--SNIP--
-H $'Sec-Fetch-Site: same-site' \
-H $'Sec-Fetch-Mode: cors' \
-H $'Sec-Fetch-Dest: empty' \
--SNIP--

I will have to discuss and experiment with this for a few weeks with my hacking colleague, to see if we can make it work.

If all fails, I just dm the BBP company's GraphQL url to you, to see if you can manage to make the recon query work on Altair.

Answer 3 · 2023-09-21T04:05:37.000Z

Feel free to reopen this when relevant