API Security challenge Help!

Hello I’m stuck with this >

Validation via Postman

Time for work in our faithful API browser. Import the GraphQL Schema from /home/cybrary/PasteBook/pastebook.collection into Postman.

Conduct the OS injection attack via the import paste function to output the content of the flag located at /opt/dvga/flag.txt.

Hint: the original Attack payload used the Linux cat command to display the content of the /etc/passwd file. This time, you want to display the content of the /opt/dvga/flag.txt file.

You should have received a flag in the response. Throw that in the Tasks pane.

Now, one last ask, and it’ll require some discernment on your end. We’ll use GraphQL Voyager to visualize the GraphQL schema and search for some circular references we may be able to exploit for Denial-of-Service (DoS).

In Firefox, open GraphQL Voyager using the provided bookmark. Click CHANGE SCHEMA on the left, then copy the contents of the schema at Home > Cybrary > Pastebook > schema.graphql into the SDL tab.

You’ll see a bunch of Objects that contain various fields. Look for any Objects that reference each other (arrows in both directions). You should find one pair that has fields that reference each other. This creates a circular reference that may be exploitable for DoS by creating a large nested query.

Tip: You can hover over the arrows to clarify which fields are being referenced in each direction.

Found the relevant fields? Great. Plug those in the Tasks pane to finish the challenge.

The guided exercise doesn’t mention how to do it.. or maybe I didnt’ understand that! how can I solve it? HEELP

Hey @Silvs!

Your confusion is understandable – this one lacked some clarity/direction. Additionally, I discovered a few other hiccups:

  • The flag.txt path I provided was incorrect, so you would have had trouble finding that flag even if you were clear on how to replicate the exploit in Postman.
  • The ZAP Active Scan was liable to break the GraphQL application, making exploitation impossible until the application is restarted.

Sorry about that! These issues have now been addressed. I think you’ll find the Challenge completable now, but please let me know if you require any additional signposts.

Happy hacking!
-Raggetd