Lab: Accessing private GraphQL posts

APPRENTICE

The blog page for this lab contains a hidden blog post that has a secret password. To solve the lab, find the hidden blog post and enter the password.

Learn more about Working with GraphQL in Burp Suite.

Solution

Identify the vulnerability

  1. In Burp's browser, access the blog page.

  2. In Burp, go to Proxy > HTTP history and notice the following:

    • Blog posts are retrieved using a GraphQL query.
    • In the response to the GraphQL query, each blog post has its own sequential id.
    • Blog post id 3 is missing from the list. This indicates that there is a hidden blog post.
  3. Find the POST /graphql/v1 request. Right-click it and select Send to Repeater.

  4. In Repeater, right-click anywhere in the Request panel of the message editor and select GraphQL > Set introspection query to insert an introspection query into the request body.

  5. Send the request. Notice in the response that the BlogPost type has a postPassword field available.

Exploit the vulnerability to find the password

  1. In the HTTP history, find the POST /graphql/v1 request. Right-click it and select Send to Repeater.

  2. In Repeater, click on the GraphQL tab. In the Variables panel, modify the id variable to 3 (the ID of the hidden blog post).

  3. In the Query panel, add the postPassword field to the query.

  4. Send the request.

  5. Copy the contents of the response's postPassword field and paste them into the Submit solution dialog to solve the lab. You may need to refresh the page.