19.1 Lab: Accessing private GraphQL posts
The blog page for this lab contains a hidden blog post that has a secret password. Find the hidden blog post and enter the password We recommend that you install the InQL extension before attempting this lab. InQL makes it easier to modify GraphQL queries in Repeater and enables you to scan the API schema | Karthikeyan Nagaraj
Description
The blog page for this lab contains a hidden blog post that has a secret password. To solve the lab, find the hidden blog post and enter the password.
We recommend that you install the InQL extension before attempting this lab. InQL makes it easier to modify GraphQL queries in Repeater, and enables you to scan the API schema.
For more information on using InQL, see Working with GraphQL in Burp Suite.
Solution
- Capture the request of a Blog post
- Notice that the http history under the proxy tab contains a graphql request which has a Query with parameters
- Send the request to Repeater
- Now change the
id
value to3
and also addpostPassword
parameter in to the query wherever you want - Send the request
- Copy the contents of the responses
postPassword
field and paste them into the Submit solution dialog to solve the lab.
If you would like to support me so that I can create more free content — https://www.buymeacoffee.com/cyberw1ng
Thank you for Reading!
Happy Hacking ~
Author: Karthikeyan Nagaraj ~ Cyberw1ng
Telegram Channel for Ethical Hacking Dumps — https://t.me/ethicalhackingessentials