webProeasy

Lab 198 — PayrollSync — Broken Auth via GraphQL Introspection

hackadvisor

Task: HR/payroll platform with GraphQL API, given employee credentials. Solution: Used GraphQL introspection to discover adminUsers query, exploited missing authorization to steal admin API key, then accessed system config containing the flag.

$ ls tags/ techniques/
jwtgraphqlidorexpressapi_securitybroken_access_controlintrospection
authorization_bypassgraphql_schema_enumerationapi_key_theftintrospection_attack
🔒

Permission denied (requires tier.pro)

Sign in to access full writeups

Sign in with GitHub to continue. No email required.

$sign in

$ grep --similar

Similar writeups