The Breach challenge on WebVerse Labs exposes a GraphQL API backing a notes application. The notes are visible in the UI, but a GraphQL schema often has surfaces the front-end never touches. Map what's really there, and find a way to reach the flag.
Objetivo: Send a GraphQL introspection query to enumerate all available types, fields, and their arguments — especially looking for any hidden or undocumented fields.
Contexto: You have confirmed the GraphQL endpoint at `/graphql`. GraphQL APIs often expose their full schema through introspection. This is a key recon step to discover all available types, queries, fields, and their arguments.
Revela solo las que necesites. Claude lleva la cuenta de cuántas usaste para calibrar la retroalimentación.
GraphQL has a built-in mechanism to query its own schema. Try sending a special meta-query to the endpoint to discover all available types and fields.
Use a GraphQL introspection query targeting `__schema`. Focus on discovering type names, their fields, and the arguments those fields accept.
Send this introspection query via POST to `/graphql`:
```json
{"query": "{ __schema { types { name fields { name args { name } } } } }"}
```
Look through the response for any type or field you haven't seen in the UI yet.
Chatea con un tutor anti-spoiler para este paso. Usa solo la especificación de este lab y empieza por la pista más pequeña que sirva.
Cuéntale qué probaste, dónde te atoraste, o pega la respuesta/error que estás viendo.
¿Te gusta Hintru? Buy me a coffee ☕ ☕