Writeup: Accessing Private GraphQL posts

Hello guys, Cyber Knight here. In this post I am going to guide you through the Port Swigger Web security Academy’s “Accessing private GraphQL posts”.

First, let us look at the description of the lab:

“The blog page for this lab contains a hidden blog post that has a secret password. To solve the lab, find the hidden blog post and enter the password.

We recommend that you install the InQL extension before attempting this lab. InQL makes it easier to modify GraphQL queries in Repeater, and enables you to scan the API schema.”

So, we start the lab and fire up our Burp Suite.

Blog Home Page

When we intercept the requests in Burp Suite, the first thing we find is that it is powered by a GraphQL service and its endpoint is at “your-lab.web-security-academy.com/graphql/v1”.

So, from the response to the GraphQL server in the above image, we can see that it returned the summaries of all blog posts in that web page, but it is missing a blog post with id 3.

Now, let us open a blog post and check the requests it makes to the GraphQL server.

As we can see, the request query has included the fields of a post to be retrieved. So, the missing page from the summaries page was the post with id 3. Let’s send this request to the repeater and change the id to 3 and observer the response.

The response only includes the basic details of the post, but to complete this lab, we need the secret password which isn’t included here.

For your information, the advantage of GraphQL over other API’s like REST is that it we can retrieve only required, selective information from the database, unlike REST API which returns the entire object that is present.

So, we need to know the fields that the blogPost type contains of. For that, we need the InQL extension for Burp Suite.

So after installing InQL, move on to the InQL scanner tab and paste the GraphQL endpoint for your lab. After loading it, we can view the complete schema of the GraphQL API. From the results returned by InQL scanner, we can observer that the getBlogPost query also contains another field called the postPassword.

Now, all we have to do is include the postPassword field along with the others in the getBlogPost request and retrieve the secret password.

Now, paste the retrieved password in the Submit solution section and lab solved!!