WebVerse

Clearance

CliniCore's patient timeline exposes a GraphQL variable that was meant for internal use only. One query tweak reveals notes that receptionist accounts should never see.

Minatour

3 min read

Room Description

Clearance — figure 1

https://dashboard.webverselabs-pro.com/challenges/clearance

Scenario

CliniCore shipped a GraphQL API to power their new timeline feature. A viewerRole variable was added during development to allow the admin panel to preview how different roles see patient data. It was never removed from the production schema. A receptionist account with routine access to the system is all you need.

Objective

CliniCore's patient timeline exposes a GraphQL variable that was meant for internal use only. One query tweak reveals notes that receptionist accounts should never see.

Initial Analysis

Alrighty, so we have a patient control portal sort of something, this is a product page for now that does offer access to the login for the staff portal.

Clearance — figure 2

Keep in mind from here, that we see there is a specialist note that says "Doctor clearance required".

Clearance — figure 3

Scrolling down the homepage we also see that the roles receptionist, nurse and physician is mentioned.

Clearance — figure 4

We now know the variables that we would be able to use when we query things in the staff portal.

Finding the bug

Let's go ahead and access the staff portal, first we need to create an account that apparently gets defaulted to the receptionist role.

Clearance — figure 5
Clearance — figure 6

We also see a request towards /graphql in our history.

Clearance — figure 7

From the call towards /api/me, we also see our profile details.

Clearance — figure 8

When we open a specific patient we make the following query:

Clearance — figure 9
{"query":"query GT($patientId: ID!, $viewerRole: String!) {  patientTimeline(patientId: $patientId, viewerRole: $viewerRole) {    patient { id name dob department }    entries { id date type note restricted }  }}","variables":{"patientId":"3","viewerRole":"receptionist"}}

Exploitation

Can we just change viewerRole to admin or something more to be able to access the restricted entry?

Well, admin doesn't work, but doctor sure does, based on the information from the landing page that a Doctor clearance is required, we can just infer that is might be a possible role.

Clearance — figure 10

There is also introspection available to look through a lot of details of GraphQL's implementation, but they aren't necessary to solve the challenge, since we don't know what roles are possible from there.

To get the introspection results though, we go to our request, right click, GraphQL -> Set Introspection Query:

Clearance — figure 11

Read more