-
In Burp's browser, access the lab and select My account.
-
Attempt to log in to the site.
-
In Burp, go to Proxy > HTTP history and notice that the login attempt is sent as a GraphQL mutation containing a username and password.
-
Right-click the login request and select Send to Repeater.
-
Use InQL to scan the GraphQL endpoint. Notice the following:
- There is a
getUserquery that returns a user's username and password. - This query fetches the relevant user information via a direct reference to an
idnumber.
- There is a
-
Copy the contents of the
getUserquery. -
Go to the Repeater tab and select the InQL subtab.
-
Paste the contents of the
getUserquery into theQuerybox, replacing the original GraphQL login mutation. -
Select the Pretty tab and remove the
operationNameproperty. -
Click Send. Notice that the default
1334user ID causes the API to return an error. -
Test alternative user IDs until the API returns the administrator's credentials. In this case, the administrator's ID is
1. -
Log in to the site as the administrator, go to the Admin panel, and delete
carlosto solve the lab.
Lab: Accidental exposure of private GraphQL fields
The user management functions for this lab are powered by a GraphQL endpoint. The lab contains an access control vulnerability whereby you can induce the API to reveal user credential fields.
To solve the lab, sign in as the administrator and delete the username carlos.
We recommend that you install the InQL extension before attempting this lab. InQL makes it easier to modify GraphQL queries in Repeater, and enables you to scan the API schema.
For more information on using InQL, see Working with GraphQL in Burp Suite.
Register for free to track your learning progress
-
Practise exploiting vulnerabilities on realistic targets.
-
Record your progression from Apprentice to Expert.
-
See where you rank in our Hall of Fame.
Already got an account? Login here
