🚩
Anthony Morell's Gitbook
Capture The Flag
CertificationsCapture The FlagBug BountiesHome
Capture The Flag
CertificationsCapture The FlagBug BountiesHome
  • 🖥️CTF Writeups
  • 🟦TryHackMe
    • THM Overview
      • Reverse Engineering
      • Game Server
      • Obscure Web Vulns
      • UltraTech
      • Linux Privilege Escalation
      • The Marketplace
      • RootMe
      • Agent Sudo
      • Startup
      • Lian_Yu
      • Advent of Cyber 2022
        • [Day 1] Frameworks
        • [Day 2] Log Analysis
        • [Day 3] OSINT
        • [Day 4] Scanning
        • [Day 5] Brute-Forcing
        • [Day 6] Email Analysis
        • [Day 7] CyberChef
        • [Day 8] Smart Contracts
        • [Day 9] Pivoting
        • [Day 10] Hack a game
        • [Day 11] Memory Forensics
        • [Day 12] Malware Analysis
        • [Day 13] Packet Analysis
        • [Day 14] Web Applications
        • [Day 15] Secure Coding
        • [Day 16] Secure Coding
        • [Day 17] Secure Coding
        • [Day 18] Sigma
        • [Day 19] Hardware Hacking
        • [Day 20] Firmware
        • [Day 21] MQTT
        • [Day 22] Attack Surface Reduction
        • [Day 23] Defence in Depth
        • [Day 24] The End
  • 🟫PentesterLab
    • PL Overview
      • Recon Badge
        • Badge Solutions
  • 🟩Hack The Box
    • HTB Overview
      • HTB Post
  • 🟧BurpSuite Academy
    • BSA Overview
      • GraphQL API vulnerabilities
        • Accessing private GraphQL posts
        • Accidental exposure of private GraphQL fields
        • Finding a hidden GraphQL endpoint
  • 🏁Competitions
    • Competition Overview
      • GM Bug Bounty Competition
Powered by GitBook
On this page
  1. BurpSuite Academy
  2. BSA Overview
  3. GraphQL API vulnerabilities

Accidental exposure of private GraphQL fields

PRACTITIONER

PreviousAccessing private GraphQL postsNextFinding a hidden GraphQL endpoint

Last updated 1 year ago

Task

The user management functions for this lab are powered by a GraphQL endpoint. The lab contains an access control vulnerability whereby you can induce the API to reveal user credential fields.

To solve the lab, sign in as the administrator and delete the username carlos.

Steps

First, with Burpsuite intercepting traffic, attempt to log into an account in the lab.

Next, the user should copy the URL and place it in the InQL Scanner. Within the InQL Scanner there will be a query named getUser.

This request that is used to log in initially should be sent to the repeater and within the InQL tab underneath 'Query, the user should replace the mutation information with the getUser query.

The user will need to change to the 'Pretty' tab to change the ID and remove the operation name 'login'

It is important to note that the administrator is usually 1 throughout BSA, so changing this value here is needed. Also removing the login operator from the ',' is needed as well. i.e. , "operationName": "login"

Once complete, the user can log on with the credentials and delete the account carlos.

🟧