The Breach challenge on WebVerse Labs exposes a GraphQL API backing a notes application. The notes are visible in the UI, but a GraphQL schema often has surfaces the front-end never touches. Map what's really there, and find a way to reach the flag.
Objetivo: Identify that the application makes a POST request to a GraphQL endpoint and understand the structure of the initial query being sent.
Contexto: Navigate to the Breach challenge at https://webverselabs-pro.com/. The app presents a Notes Feed with public notes. Use your browser's DevTools (Network tab) or a proxy like Burp Suite to observe background traffic as the page loads.
Revela solo las que necesites. Claude lleva la cuenta de cuántas usaste para calibrar la retroalimentación.
Watch the network traffic in your browser DevTools or Burp Suite when the Notes Feed page loads. Look for an API call that retrieves the notes.
The app is using GraphQL. Intercept the POST request to the `/graphql` endpoint and inspect the query body. Notice how the `notes` field uses an argument to control what data is returned.
The POST request goes to `POST /graphql HTTP/2` on `4d665099-3953-breach-969c5.challenges.webverselabs-pro.com`. The query body is: `{ "query": "{\n notes(includePrivate:false){\n id title content authorId isPrivate\n }\n}" }` — note that `notes` takes an `includePrivate` boolean argument.
Chatea con un tutor anti-spoiler para este paso. Usa solo la especificación de este lab y empieza por la pista más pequeña que sirva.
Cuéntale qué probaste, dónde te atoraste, o pega la respuesta/error que estás viendo.
¿Te gusta Hintru? Buy me a coffee ☕ ☕