Accessing private GraphQL posts
APPRENTICE
Last updated
APPRENTICE
Last updated
The blog page for this lab contains a hidden blog post that has a secret password. To solve the lab, find the hidden blog post and enter the password. In this task, I will be using Burpsuite and the InQL tool on CLI.
First the user should launch the lab open and set up their proxy to intercept requests from the target.
Once the academy site is live, you can immediately view/intercept the first request. I will look something like this:
There are a few interesting things to point out and the first is the /graphql/v1 URL and the second is the ID parameters in the response. If you view the entire response you can clearly see that "ID":3 is missing. This is a great indication that the missing blog is under the parameter number 3.
To attempt accessing this blog, you can grab the entire url https://<burp-id>.web-security-academy.net/graphql/v1 and paste it into the InQL Scanner.
The InQL Scanner should be downloaded from the Burpsuite store, You will also need to download jython.
Once you have you /graphql/v1 url, you should paste it into the InQL scanner like so
The extension will take a second or two to load in the information, but once done correctly you will see something like this
Here the the parameter postPassword makes an appearance, which has not done so before in the other parameter id's.
After intercepting any blog post from the main blog page, you can clearly see where the edit and change can be made for the parameter id's.
Changing the id parameter to 3 and any other query field to postPassword allows users to view and submit the flag for this challenge.
For This method you will need to download the InQL tool with pip install inql
Once the tool is downloaded, you can use python3 and the directory of the InQL tool against the target URL. It is useful to note that you should create an output directory with the -o flag.
Next, you can travel to the created directory and within the 'query' directory you will find the results of the hidden field within the JSON formatted file.
Using this information, you can make a modification inside the Firefox browser to retrieve the flag information.
