# Accidental exposure of private GraphQL fields ### Task The user management functions for this lab are powered by a [GraphQL](https://portswigger.net/web-security/graphql) endpoint. The lab contains an [access control](https://portswigger.net/web-security/access-control) vulnerability whereby you can induce the API to reveal user credential fields. To solve the lab, sign in as the administrator and delete the username `carlos`. #### Steps First, with Burpsuite intercepting traffic, attempt to log into an account in the lab. ![](https://850580359-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FSqAgfe92W3tM8LBhIHHu%2Fuploads%2FoYfpfajlSvw3lEUuNNoC%2Fimage.png?alt=media\&token=ee8153a8-314a-422b-a846-4d604e6ba1a6) Next, the user should copy the URL and place it in the InQL Scanner. Within the InQL Scanner there will be a query named getUser. ![](https://850580359-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FSqAgfe92W3tM8LBhIHHu%2Fuploads%2FBEQQL8NCnlBnyBaJHZHb%2Fimage.png?alt=media\&token=10974903-4f1a-4c2d-bd33-f95b9528ad66) This request that is used to log in initially should be sent to the repeater and within the InQL tab underneath 'Query, the user should replace the mutation information with the getUser query. ![](https://850580359-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FSqAgfe92W3tM8LBhIHHu%2Fuploads%2F4aAMy49YIx8QZSf2jmjp%2Fimage.png?alt=media\&token=842ef950-e351-460e-b5f1-101d8b0622bc) The user will need to change to the 'Pretty' tab to change the ID and remove the operation name 'login' ![](https://850580359-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FSqAgfe92W3tM8LBhIHHu%2Fuploads%2FgLSdumsZW3AwFwWtSaG8%2Fimage.png?alt=media\&token=89248b85-4dd7-432a-8636-04d1fe7e4a86) It is important to note that the administrator is usually 1 throughout BSA, so changing this value here is needed. Also removing the login operator from the ',' is needed as well. i.e. `, "operationName": "login"` Once complete, the user can log on with the credentials and delete the account carlos. ![](https://850580359-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FSqAgfe92W3tM8LBhIHHu%2Fuploads%2FQLY6F9d9GYyKPQdBEWy7%2Fimage.png?alt=media\&token=7509df97-9ce6-49d4-a3fe-e1dc1c6451fc) --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://morell-tony.gitbook.io/home/capture-the-flag/burpsuite-academy/bsa-overview/graphql-api-vulnerabilities/accidental-exposure-of-private-graphql-fields.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.