GRAPHQL EXPLOITATION

Developer Platform

DevHub exposes a GraphQL API at /graphql. Introspection is enabled. The API lacks authorization checks. Find the flag hidden in the admin's data.

Attack Vectors

  • Introspection: Query __schema to discover all types, queries, and fields
  • IDOR: Access any user/repo/secret by ID without authorization
  • Batch/Alias: Use GraphQL aliases to query multiple resources in one request
  • GraphiQL: Interactive IDE available at /graphql

Quick Query


        


        

            
 Submit Flag