Hacking GraphQL : Hacker101 CTF BugDB v1

Hacker 101 CTF for Beginner Level GraphQL Hacking



What is GraphQL?

Table of Contents


GraphQL is a query language for APIs and a runtime for fulfilling those queries with your existing data. GraphQL provides a complete and understandable description of the data in your API, gives clients the power to ask for exactly what they need and nothing more, makes it easier to evolve APIs over time, and enables powerful developer tools.

GraphQL is now very popular and is used by many companies.From a Bug Hunter’s and Web Application testing point of view this is a new skill and a attack vector which should to be added to the arsenal.

In this article we will try to learn GraphQL hacking by doing a CTF and it is assumed that you have limited knowledge of the weaknesses which a default GraphQL implementation contains.

Setup and Tools

There are few resources available out on the web to learn hacking GraphQL and one such resource is the HackerOne’s CTF. Register and login and look for “BugDB v1” under “Web, GraphQL” skill.


Start the “BugDB v1” and navigate to the challenge and you will be presented with an interface like:


This is called GraphiQL — is an interactive in-browser GraphQL IDE (Interactive Development Environment) and if exposed (usually in default implementations and the dev/staging environment ) is usually at /graphiql endpoint. That’s good now what?

Introspection and Schema




Software Developer having keen interest in Security, Privacy and Pen-testing. Certs:- Security+,PenTest+,AZ900,AZ204,AZ500