SyncGraph

hackadvisor

Task: GraphQL API management platform with broken authentication — API key leaked in client-side JS, introspection enabled, and createUser mutation allows mass assignment of admin role. Solution: Extract API key from /js/playground.js, enumerate schema via introspection, create admin user via mass assignment on createUser mutation, query adminSettings for the flag.

jwt graphql express privilege_escalation broken_access_control introspection mass_assignment api_key_leak

graphql_introspectionauthorization_bypassuser_enumerationapi_key_extraction_from_client_jsmass_assignment_role_escalation

$ ls tags/ techniques/

jwt graphql express privilege_escalation broken_access_control introspection mass_assignment api_key_leak

graphql_introspectionauthorization_bypassuser_enumerationapi_key_extraction_from_client_jsmass_assignment_role_escalation

Analysis

Lorem ipsum dolor sit amet, consectetur adipiscing elit. Sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat.

$ python3 exploit.py --target 192.168.1.1 --port 8080
[*] Connecting to target...
[+] Shell obtained!

Excepteur sint occaecat cupidatat non proident, sunt in culpa qui officia deserunt mollit anim id est laborum.

Permission denied (requires tier.pro)

Sign in to access full writeups

$sign in

$ grep --similar

Similar writeups

[web][Pro]Lab 198 — PayrollSync — Broken Auth via GraphQL Introspection— hackadvisor
[web][Pro]Lab 290 — PayLedger — GraphQL Broken Access Control— hackadvisor
[web][Pro]Lab 303 — DevGateway — Broken Access Control in Admin API— hackadvisor
[web][Pro]Lab 304 — TeamVault — Broken Access Control in GraphQL Mutation— hackadvisor
[web][Pro]Lab 294 — TeamForge — GraphQL Self-Escalation via UpdateMembership— hackadvisor