Lab: Accidental exposure of private GraphQL fields

The user management functions for this lab are powered by a GraphQL endpoint. The lab contains an access control vulnerability whereby you can induce the API to reveal user credential fields.

To solve the lab, sign in as the administrator and delete the username carlos.

Steps

• Open BurpSuite and Visit the target website

• Click on My account and Login using a random usrename and password

• Send the graphQL request to Extensions -> InQL -> Generate Queries with InQL Scanner

• Expand the Queries section and you can see that there is an entry for getUser.graphql

• Copy the query

  getUser(id: Int!) {
        id
        password
        username
    }

• Send the getBlogSummaries request to Repeater and add the below query inside the getBlogSummaries query

  getUser(id: 1) {
        id
        password
        username
    }

• Send the request, and we can see the administrator password in the response

• Login using the administrator credential and delete the user carlos