The Breach challenge on WebVerse Labs exposes a GraphQL API backing a notes application. The notes are visible in the UI, but a GraphQL schema often has surfaces the front-end never touches. Map what's really there, and find a way to reach the flag.
Objetivo: Identify that the application makes a POST request to a GraphQL endpoint and understand the structure of the initial query being sent.
Contexto: Navigate to the Breach challenge at https://webverselabs-pro.com/. The app presents a Notes Feed with public notes. Use your browser's DevTools (Network tab) or a proxy like Burp Suite to observe background traffic as the page loads.
Revela solo las que necesites. Claude lleva la cuenta de cuántas usaste para calibrar la retroalimentación.
Watch the network traffic in your browser DevTools or Burp Suite when the Notes Feed page loads. Look for an API call that retrieves the notes.
The app is using GraphQL. Intercept the POST request to the `/graphql` endpoint and inspect the query body. Notice how the `notes` field uses an argument to control what data is returned.
The POST request goes to `POST /graphql HTTP/2` on `4d665099-3953-breach-969c5.challenges.webverselabs-pro.com`. The query body is: `{ "query": "{\n notes(includePrivate:false){\n id title content authorId isPrivate\n }\n}" }` — note that `notes` takes an `includePrivate` boolean argument.
Intercept the POST request to `/graphql`. The query is:
```
{
notes(includePrivate:false){
id title content authorId isPrivate
}
}
```
The endpoint is: `https://4d665099-3953-breach-969c5.challenges.webverselabs-pro.com/graphql`
The response returns public notes with fields: id, title, content, authorId, isPrivate.
Criterio de validación: Student intercepts the GraphQL POST request and identifies the `notes(includePrivate:false)` query syntax with its argument, and notes the full GraphQL endpoint URL.
[solution revealed]
Solution revealed