Lab: Accessing private GraphQL posts

The blog page for this lab contains a hidden blog post that has a secret password. To solve the lab, find the hidden blog post and enter the password.

Learn more about Working with GraphQL in Burp Suite.

Steps

Open Burp Suite and Visit the Web Application
Click on any blog and send the request to Repeater
Again in the same blog right click -> Extensions -> InQL -> Generate queries with InQL scanner
In the InQL tab expand the queries section and click the getBlogPost.graphql
You should see a postPassword field
In the Repeater tab change the id variable to 3 in the Variables window and add a new field called postPassword in the Query window.
Send the request to get the secret password.

PreviousDiscovering Schema Information NextLab: Accidental exposure of private GraphQL fields

Last updated 6 months ago