Accidental Exposure of private GraphQL fields
Hello guys, in this writeup I am going to walkthrough the Port Swigger Web Security Academy’s Accidentally Exposing private GraphQL fields.
First let’s read the description of the lab:
“The user management functions for this lab are powered by a GraphQL endpoint. The lab contains an access control vulnerability whereby you can induce the API to reveal user credential fields.
To solve the lab, sign in as the administrator and delete the username carlos.”
They also recommend to use the InQL extension for Burp Suite to solve this lab.
So, lets start the lab:
So, let us start the Burp Proxy and capture the requests.
We got to know the end point is /graphql/v1. Copy paste the GraphQL endpoint in the InQL scanner in Burp Suite.
By using the InQL scanner, we got know there are three queries in the schema and one query is to get the user details
Now, we can use this query to send to the endpoint to retrieve user information. But, you need an user id to retrieve the details.
It is not obvious but, from looking at the solution we can know that the admin user id is 1.
Now send any request using the /graphql/v1 endpoint to the Burp Repeater and move to the InQL tab inside it.
Here replace the existing query to the copied one from InQL scanner and change the id parameter to 1. Please make sure that you remove the operationName from the request body (in Pretty tab) and send the request.
From the response, we get the administrator password. Hence, we can login to the administrator account and delete the user carlos.
Now, you can delete the user carlos from the Admin Panel you just got access to.
Thank you for reading this writeup and hoping it was helpful. For any queries or suggestions please feel free to leave a comment.
