In Burp's browser, access the blog page.
In Burp, go to Proxy > HTTP history and notice the following:
- Blog posts are retrieved using a GraphQL query.
- In the response to the GraphQL query, each blog post has its own sequential
- Blog post
id3 is missing from the list. This indicates that there is a hidden blog post.
Use InQL to scan the GraphQL endpoint. Notice that the
BlogPosttype has a
In Burp's browser, select a blog post. Notice that this causes the site to make a GraphQL query that fetches the relevant post data via a direct reference to the post's ID.
In the HTTP history, find the relevant GraphQL query. Right-click it and select Send to Repeater.
In Repeater, modify the
idvariable to 3 (that is, the
idof the hidden blog post). Add the
postPasswordfield to the query.
Send the request.
Copy the contents of the response's
postPasswordfield and paste them into the Submit solution dialog to solve the lab.
Lab: Accessing private GraphQL posts
The blog page for this lab contains a hidden blog post that has a secret password. To solve the lab, find the hidden blog post and enter the password.
We recommend that you install the InQL extension before attempting this lab. InQL makes it easier to modify GraphQL queries in Repeater, and enables you to scan the API schema.
For more information on using InQL, see Working with GraphQL in Burp Suite.