top of page
Search

Accessing private GraphQL posts

Updated: May 22, 2024


Security stock image.
Image from https://nordvpn.com/blog/graphql-security-tips/

In this blog:

➡️ Find my blog on exposing private GraphQL endpoints here.

➡️ Find my blog on exposing private GraphQL fields here.

➡️ Find my blog on GraphQL vulnerabilities here.

Opening Burp and finding a GraphQL endopoint


The blog page for this lab contains a hidden blog post that has a secret password.

To solve the lab, find the hidden blog post and enter the password.


Open up Burpsuite:

Burpsuite image.
Starting up Burpsuite.

Turn intercept on and open browser.

Go to the blog site shown in the lab.

Burpsuite image.
Intercept has been turned on.

If we open the target tab, we see that the website is based on a GraphQL service, and its endpoint is at /graphql/v1.

Burpsuite image.
Finding the endpoint and showing all blogs.

We see that the query - getAllBlogPosts returns all blog posts on the website from ID 1 to 5, with the exception of the blog with ID 3. 


Now, if we go to an individual post (the one I visited was the blog with ID:5), we can see that a request was made in GraphQL query to retrieve fields of the post.

Burpsuite image.
Checking post ID:5

Setting Introspection queries


Let’s send this request to the repeater and change the ID to 3 and see what changes.

Burpsuite image.
Send the request to Repeater.

Right-click anywhere in the request pane and go to GraphQL ➡️ Set introspection query.


This will let us insert an introspection query into the request.


An introspection query allows us to specify information we might want from the schema itself and gives us further insight into what the objects in the backend may look like, and their relationships. This helps us access sensitive information.

Burpsuite image.
Set introspection query.

Burp automatically sends the introspection probe query shown below.

{
     "query": "{__schema{queryType{name}}}"
}
Burpsuite image.
Inside Repeater with introspection enabled.

Click send.

Burpsuite image.
Viewing the GraphQL schema.

Notice how the BlogPost type has a postPassword field in it.

Burpsuite image.
Finding the 'postPassword type.

Send to Repeater and find hidden post


Now we can exploit the vulnerability to find the password to the hidden blog post.


Go to HTTP history and send POST/graphql/v1 to Repeater.

Burpsuite image.
Send request to Repeater to change ID.

Go to the Repeater > GraphQL tab. In the Variables pane, change the ID to 3 – the ID of the hidden blog post.

In the Query pane, add postPassword to the fields. Click send.

Burpsuite image.
Changing post ID to 3 and adding 'postPassword' type.

Scroll down to find the password.

Burpsuite image.
Finding the password.

Lab complete! Thanks for reading my blog.


Comments

Rated 0 out of 5 stars.
No ratings yet
Add a rating
  • GitHub
  • Twitter
  • LinkedIn
bottom of page