portswigger-all-labs

Complete PortSwigger Web Security Academy Lab Writeups Detailed, categorized solutions for every lab — from APPRENTICE to EXPERT — covering all 30 vulnerability types.

View on GitHub

Labs Covered

This write-up focuses on the following APPRENTICE-level lab from the PortSwigger Web Security Academy related to GraphQL API Vulnerabilities:

Accessing private GraphQL posts
This lab demonstrates how insufficient access controls on GraphQL queries allow unauthorized users to retrieve private data.

LAB 1 - Accessing private GraphQL posts

Lab Description

image

Solution

We recommend that you install the InQL extension before attempting this lab. InQL makes it easier to modify GraphQL queries in Repeater, and enables you to scan the API schema.”( I have install in burpsuite community in linux because this extension require latest version where our burp professionla have old version”)

image

So if we look at summary tab of /graphql/v1 which comes first when we start lab we can see that id:3 is missing

image

If we have no summary tab you shoud go to each and every blog and see what id is missing to get private blog which is not listed and the Request his attribute through graphql api

image

Now we have send id:2 to repeater and we have notice that all the query which we have given in request graphql gives us reponse According to that like in our case we request image,title,author,date,paragraph. Now we have to request samething for our private blog which is not showing all the remaning blog Id like 1,2,4,5 is showing but not 3 ,so it might be private we will request now 3 to get it’s content

image

Now we have change id:3 which gives us 3 content as shown in below image

image

For your information, the advantage of GraphQL over other API’s like REST is that it we can retrieve only required, selective information from the database, unlike REST API which returns the entire object that is present. So, we need to know the fields that the blogPost type contains of. For that, we need the InQL extension for Burp Suite. So after installing InQL, move on to the InQL scanner tab and paste the GraphQL endpoint for your lab. After loading it, we can view the complete schema of the GraphQL API. From the results returned by InQL scanner, we can observer that the getBlogPost query also contains another field called the postPassword.

image

And Now we can see that graphql have gives us all the query of our endpoint which are in blog hidden.

image

And now we change id:3 and the enter field of Postpassword and we have get Postpassword copy and paste post passowrd in lab submit and lab is solved

image

Submit it and then lab is solved

image