The Breach challenge on WebVerse Labs exposes a GraphQL API backing a notes application. The notes are visible in the UI, but a GraphQL schema often has surfaces the front-end never touches. Map what's really there, and find a way to reach the flag.
Objective: Identify that the application makes a POST request to a GraphQL endpoint and understand the structure of the initial query being sent.
Context: Navigate to the Breach challenge at https://webverselabs-pro.com/. The app presents a Notes Feed with public notes. Use your browser's DevTools (Network tab) or a proxy like Burp Suite to observe background traffic as the page loads.
Only reveal the ones you need. Claude tracks how many you used to calibrate the feedback.
Watch the network traffic in your browser DevTools or Burp Suite when the Notes Feed page loads. Look for an API call that retrieves the notes.
The app is using GraphQL. Intercept the POST request to the `/graphql` endpoint and inspect the query body. Notice how the `notes` field uses an argument to control what data is returned.
The POST request goes to `POST /graphql HTTP/2` on `4d665099-3953-breach-969c5.challenges.webverselabs-pro.com`. The query body is: `{ "query": "{\n notes(includePrivate:false){\n id title content authorId isPrivate\n }\n}" }` — note that `notes` takes an `includePrivate` boolean argument.
Intercept the POST request to `/graphql`. The query is:
```
{
notes(includePrivate:false){
id title content authorId isPrivate
}
}
```
The endpoint is: `https://4d665099-3953-breach-969c5.challenges.webverselabs-pro.com/graphql`
The response returns public notes with fields: id, title, content, authorId, isPrivate.
Validation criteria: Student intercepts the GraphQL POST request and identifies the `notes(includePrivate:false)` query syntax with its argument, and notes the full GraphQL endpoint URL.
[solution revealed]
Solution revealed