Hello I’m stuck with this >
Validation via Postman
Time for work in our faithful API browser. Import the GraphQL Schema from /home/cybrary/PasteBook/pastebook.collection into Postman.
Conduct the OS injection attack via the import paste function to output the content of the flag located at /opt/dvga/flag.txt.
Hint: the original Attack payload used the Linux cat command to display the content of the /etc/passwd file. This time, you want to display the content of the /opt/dvga/flag.txt file.
You should have received a flag in the response. Throw that in the Tasks pane.
Now, one last ask, and it’ll require some discernment on your end. We’ll use GraphQL Voyager to visualize the GraphQL schema and search for some circular references we may be able to exploit for Denial-of-Service (DoS).
In Firefox, open GraphQL Voyager using the provided bookmark. Click CHANGE SCHEMA on the left, then copy the contents of the schema at Home > Cybrary > Pastebook > schema.graphql into the SDL tab.
You’ll see a bunch of Objects that contain various fields. Look for any Objects that reference each other (arrows in both directions). You should find one pair that has fields that reference each other. This creates a circular reference that may be exploitable for DoS by creating a large nested query.
Tip: You can hover over the arrows to clarify which fields are being referenced in each direction.
Found the relevant fields? Great. Plug those in the Tasks pane to finish the challenge.
The guided exercise doesn’t mention how to do it.. or maybe I didnt’ understand that! how can I solve it? HEELP
