InfoSec Write-ups

A collection of write-ups from the best hackers in the world on topics ranging from bug bounties…

Follow publication

How to Exploit a Hidden GraphQL Endpoint by Changing POST to GET Request — GraphQL API Labs

[Write-up] Finding a Hidden GraphQL Endpoint.

Introduction

GraphQL has become an essential technology for modern web applications, allowing developers to query APIs with flexibility. However, misconfigurations and security oversights can lead to critical vulnerabilities. In this lab titled “Finding a Hidden GraphQL Endpoint”, we will explore how to discover an undisclosed GraphQL endpoint that is not easily accessible by browsing the site.

Finding a Hidden GraphQL Endpoint - Bashoverflow - Medium
Finding a Hidden GraphQL Endpoint

Disclaimer:
The techniques described in this document are intended solely for ethical use within the controlled environment of PortSwigger Labs for educational and training purposes. Unauthorized use of these methods outside approved environments is strictly prohibited, as it is illegal, unethical, and may lead to severe consequences.

It is crucial to act responsibly, comply with all applicable laws, and adhere to established ethical guidelines. Any activity that exploits security vulnerabilities or compromises the safety, privacy, or integrity of others is strictly forbidden.

Summary of the Vulnerability

In this lab, the user management functionalities rely on a hidden GraphQL endpoint. Unlike traditional web pages that can be easily accessed through navigation, this endpoint remains concealed. Additionally, the GraphQL API has certain protections in place to prevent introspection, making it more challenging to enumerate available queries and mutations.

To complete the lab, security testers must locate the hidden GraphQL endpoint and issue a mutation request to delete the carlos user. This demonstrates how adversaries might exploit such misconfigurations in real-world applications.

For reference, see Working with GraphQL in Burp Suite.

Steps to Reproduce & Proof of Concept (POC)

1. Open the GraphQL Lab

2. Since we don’t have clear information about the GraphQL endpoint location, we can attempt brute-force discovery using common GraphQL paths:

/graphql  
/api
/api/graphql
/graphql/api
/graphql/graphql
/graphql/v1
Image 1 - Lab: Finding a Hidden GraphQL Endpoint

3. In this lab, we find that the GraphQL endpoint is located at:

/api
Image 2 - Lab: Finding a Hidden GraphQL Endpoint

4. Right-click on the request and send it to Repeater for further testing

Image 3 - Lab: Finding a Hidden GraphQL Endpoint

5. Modify the request method from GET to POST and send it

Image 4 - Lab: Finding a Hidden GraphQL Endpoint

6. The server responds with 405 Method Not Allowed, even after setting Content-Type: application/json. This suggests that the API does not support POST requests

7. Send the following GET request to check if introspection is enabled:

GET /api?query=query%7B__schema%0A%7BqueryType%7Bname%7D%7D%7D
Image 5 - Lab: Finding a Hidden GraphQL Endpoint

8. The server responds with 200 OK, indicating that the request was successful and introspection probing is possible

9. Right-click the request and select GraphQLSet Introspection Query

10. Click Send to execute the query

Image 6 - Lab: Finding a Hidden GraphQL Endpoint
Image 7 - Lab: Finding a Hidden GraphQL Endpoint

11. The response indicates that introspection is restricted

12. However, as explained in the PortSwigger article on bypassing introspection defenses, certain characters like commas, spaces, or new lines can be used to bypass this restriction.

Image 8 - Lab: Finding a Hidden GraphQL Endpoint

13. Go back to Repeater and modify the request by adding a new line after __schema and Send the request again

Image 9 - Lab: Finding a Hidden GraphQL Endpoint

14. Once introspection is bypassed, right-click and select Save GraphQL queries to Site Map for easier navigation

Image 10 - Lab: Finding a Hidden GraphQL Endpoint

15. Navigate to the TargetSite Map tab in Burp Suite

16. Locate the request query=query%28....., right-click, and send it to Repeater

Image 11 - Lab: Finding a Hidden GraphQL Endpoint

17. We can now query user information by modifying the request to include an id variable

Try different id values (0–3) to retrieve user details

Image 12 - Lab: Finding a Hidden GraphQL Endpoint

18. Go back to the Site Map and locate the request query=mutation%28..... then Right-click and send it to Repeater.

Image 13 - Lab: Finding a Hidden GraphQL Endpoint

19. From the previous queries, we identified that carlos has id=3

20. Modify the mutation request to:

{
"input": {
"id": 3
}
}
Image 14 - Lab: Finding a Hidden GraphQL Endpoint

21. Go back to the browser and refresh the lab. If successful, the lab is marked as completed

Image 15 - Lab: Finding a Hidden GraphQL Endpoint

Impact

  • Potential data leaks if introspection is enabled or misconfigured
  • The ability to modify or delete user accounts without proper authentication or authorization

Mitigation

  • Ensure that GraphQL queries and mutations are restricted based on user roles and permissions
  • Monitor API requests and apply rate limiting to detect and prevent brute-force discovery attempts
  • Introspection should be disabled or limited to prevent attackers from easily mapping the API structure

Sign up to discover human stories that deepen your understanding of the world.

Free

Distraction-free reading. No ads.

Organize your knowledge with lists and highlights.

Tell your story. Find your audience.

Membership

Read member-only stories

Support writers you read most

Earn money for your writing

Listen to audio narrations

Read offline with the Medium app

Published in InfoSec Write-ups

A collection of write-ups from the best hackers in the world on topics ranging from bug bounties and CTFs to vulnhub machines, hardware challenges and real life encounters. Subscribe to our weekly newsletter for the coolest infosec updates: https://weekly.infosecwriteups.com/

Written by Bash Overflow

Cybersecurity Enthusiast | Sharing insights through some writeups | Passionate about advancing knowledge in the field of cybersecurity

No responses yet