Lab: Accidental exposure of private GraphQL fields

PRACTITIONER

The user management functions for this lab are powered by a GraphQL endpoint. The lab contains an access control vulnerability whereby you can induce the API to reveal user credential fields.

To solve the lab, sign in as the administrator and delete the username carlos.

Learn more about Working with GraphQL in Burp Suite.

Solution

Identify the vulnerability

  1. In Burp's browser, access the lab and select My account.

  2. Attempt to log in to the site.

  3. In Burp, go to Proxy > HTTP history and notice that the login attempt is sent as a GraphQL mutation containing a username and password.

  4. Right-click the login request and select Send to Repeater.

  5. In Repeater, right-click anywhere within the Request panel of the message editor and select GraphQL > Set introspection query to insert an introspection query into the request body.

  6. Send the request.

  7. Right-click the message and select GraphQL > Save GraphQL queries to site map.

  8. Go to Target > Site map and review the GraphQL queries. Notice the following:

    • There is a getUser query that returns a user's username and password.
    • This query fetches the relevant user information via a direct reference to an id number.

Modify the query to retrieve the administrator credentials

  1. Right-click the the getUser query and select Send to Repeater.

  2. In Repeater, click Send. Notice that the default id value of 0 doesn't return a user.

  3. Select the GraphQL tab and test alternative values for the id variable until the API returns the administrator's credentials. In this case, the administrator's ID is 1.

  4. Log in to the site as the administrator, go to the Admin panel, and delete carlos to solve the lab.

Community solutions

Popo Hack