Introduction

Hello World! I’m Eshan Singh, aka R0X4R. I’m that hacker teenager that your friends told you about. I hack web-server to make the system secure. I’m here to share my recent findings on GraphQL Introspection.

What is GraphQL

All of us know that Facebook uses its own query language to store its data properly. So, according to GraphQL.org GraphQL is a query language for APIs and a runtime for fulfilling those queries with your existing data. GraphQL provides a complete and understandable description of the data in your API, gives clients the power to ask for exactly what they need, and nothing more, makes it easier to evolve APIs over time, and enables powerful developer tools.

About this vulnerability

For Discovering this bug, I learned the fundamentals of GraphQL for at least 5–6 hours and read all other relevant bug reports, especially Namhamsec’s GraphQL CTF Challenge.

After that, I saw a new program on Bugcrowd, so I participated in it. They gave me a domain [let’s take the domain as example.com because the vulnerability hasn’t fixed yet], i.e. example.com. So I make an account on that domain, then fire burpsuite and added example.com for spidering; after 10–20 secs, I saw that the example.com/graphql, so I got an idea that example.com uses Graphql for their API management.

Tools that I used in this

• Burpsuite
• Burpsuite Extensions — JSON Beautifier and GraphQL Raider
• A Web Browser [Firefox] :P

How I got the vulnerability

First I logged out and logged in again on example.com, then I went to the ‘Update Profile’ section and changed my name from Eshan Singh to Singh Eshan and clicked save. And, then intercepted that request and sent it repeater, then I saw something interesting i.e.

#hacking #bug-bounty-tips #graphql #bug-bounty-hunter #bug-bounty