So if you have read my blogs or been following me for a little you know I love GraphQL security. This challenge had just that. A little easier than I had hoped for but it was cool to see so I wrote it up.

To start off, after spinning up the image, I went and messed around on the site while intercepting traffic through BurpSuite. After a little I stopped and looked through the traffic and was pleasantly surprised to see a /graphql endpoint!

I immediately knew what to do. I fired up GraphiQL, a great tool for looking at GraphQL endpoints, and pointed it towards the endpoint with my authentication token.

Immediately I saw it had introspection enabled, which allows us to look around the schema. Most of the mutations and queries were normal but the update password one seemed like it could have an IDOR vulnerability in the user ID being provided as an argument. I went and tested it, and it worked! I had updated the admin accounts password!

After this I logged in and the flag was waiting there for me.

PWNED!!!