Lab 304 — TeamVault — Broken Access Control in GraphQL Mutation

hackadvisor

Task: TeamVault workspace management platform with GraphQL API where temporary members are restricted from admin resources. Solution: GraphQL introspection reveals updateMemberAccess mutation lacking authorization checks, allowing any authenticated user to set their own isPermanent to true and access the Secrets Vault containing the flag.

graphql idor express privilege_escalation broken_access_control introspection bola mutation

graphql_introspectionbola_exploitationgraphql_mutation_bacidor_privilege_escalationtemporary_to_permanent_escalation

$ ls tags/ techniques/

graphql idor express privilege_escalation broken_access_control introspection bola mutation

graphql_introspectionbola_exploitationgraphql_mutation_bacidor_privilege_escalationtemporary_to_permanent_escalation

Analysis

Lorem ipsum dolor sit amet, consectetur adipiscing elit. Sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat.

$ python3 exploit.py --target 192.168.1.1 --port 8080
[*] Connecting to target...
[+] Shell obtained!

Excepteur sint occaecat cupidatat non proident, sunt in culpa qui officia deserunt mollit anim id est laborum.

Permission denied (requires tier.pro)

Sign in to access full writeups

$sign in

$ grep --similar

Similar writeups

[web][Pro]Lab 294 — TeamForge — GraphQL Self-Escalation via UpdateMembership— hackadvisor
[web][Pro]Lab 121 — OrgPilot — GraphQL Broken Access Control— hackadvisor
[web][Pro]Lab 198 — PayrollSync — Broken Auth via GraphQL Introspection— hackadvisor
[web][Pro]SyncGraph— hackadvisor
[web][Pro]Lab 303 — DevGateway — Broken Access Control in Admin API— hackadvisor