WRITEUP #1146

From Response To Request, Adding Your Own Variables Inside Of GraphQL Queries For Account Take Over

APIGraphQLIDORMass assignment

byTom Neaves

Program

Published

May 23, 2023

Added to HackDex

Jun 5, 2023

Read Full Writeuphttps://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/from-response-to-request-adding-your-own-variables-inside-of-graphql-queries-for-account-take-over/

▸ RELATED WRITEUPS

The Butterfly Effect: Turning Overlooked - Misconfigurations into Zero Click Account Takeover

APIGraphQL

Authorization bypass due to cache misconfiguration

APIAuthorization bypass

Zomatoooo! IDOR in Saved Payments

IDOR

How I got my first $13500 bounty through Parameter Polluting (HPP)

IDORXSS

A Creative Way To Get Someones YouTube Videos Deleted + A Copyright Strike Against Their YouTube Channel

IDORBroken Access Control

Built with ❤️ by Shubham Rawat