Accidental Exposure of Private GraphQL Fields
👩🎓👨🎓 Learn about GraphQL API vulnerabilities! The user management functions for this lab are powered by a GraphQL endpoint. The lab contains an access control vulnerability whereby we can induce the API to reveal user credential fields. To solve the lab, we must sign in as the administrator and delete the user carlos.
If you're struggling with the concepts covered in this lab, please review https://portswigger.net/web-security/... 🧠
🔗 @PortSwiggerTV challenge: https://portswigger.net/web-security/...
🧑💻 Sign up and start hacking right now - https://go.intigriti.com/register
👾 Join our Discord - https://go.intigriti.com/discord
🎙️ This show is hosted by / _cryptocat ( @_CryptoCat ) & / intigriti
👕 Do you want some Intigriti Swag? Check out https://swag.intigriti.com
Overview:
0:00 Intro
0:24 Lab: Accidental exposure of private GraphQL fields
0:44 Explore site functionality
1:07 Identify GraphQL API endpoints
2:01 Set introspection query
2:26 Visualise schema
3:30 Saving introspection results to burp site map
3:57 Exploit the vulnerability
4:40 Conclusion
![Decoding Spotify Barcodes - Defcon 32 Coin Challenge Solution [2024]](https://images.mixrolikus.cc/video/RpXbtmUGyXs)
