← vuln-lab catalog

GraphQL — introspection & field-level IDOR

/api/graphql leaves introspection (__schema) enabled and exposes a user(id) resolver with no authorization, so a single query maps the schema and dumps any user's apiKey / ssn.

(no response yet)

Trigger: { __schema { types { name } } } (introspection) and user(id: 3){ apiKey ssn } (IDOR).

Detected by: browser_cdp_graphql_scan