In Burp's browser, access the lab and select My account.
Attempt to log in to the site.
In Burp, go to Proxy > HTTP history and notice that the login attempt is sent as a GraphQL mutation containing a username and password.
Right-click the login request and select Send to Repeater.
Use InQL to scan the GraphQL endpoint. Notice the following:
- There is a
getUserquery that returns a user's username and password.
- This query fetches the relevant user information via a direct reference to an
- There is a
Copy the contents of the
Go to the Repeater tab and select the InQL subtab.
Paste the contents of the
getUserquery into the
Querybox, replacing the original GraphQL login mutation.
Select the Pretty tab and remove the
Click Send. Notice that the default
1334user ID causes the API to return an error.
Test alternative user IDs until the API returns the administrator's credentials. In this case, the administrator's ID is
Log in to the site as the administrator, go to the Admin panel, and delete
carlosto solve the lab.
Lab: Accidental exposure of private GraphQL fields
To solve the lab, sign in as the administrator and delete the username
We recommend that you install the InQL extension before attempting this lab. InQL makes it easier to modify GraphQL queries in Repeater, and enables you to scan the API schema.
For more information on using InQL, see Working with GraphQL in Burp Suite.