BugForge - Daily - Ottergram (Repeat)
BugForge - Daily - Ottergram (Repeat)
Daily - Ottergram (Repeat)
This is a repeat of the daily challenge from January 10th, 2026.
Vulnerability Overview
The application exposes a GraphQL API with introspection enabled in production, allowing attackers to query the full API schema and discover sensitive operations. Through schema enumeration, a user query was identified that accepts an id parameter and returns sensitive fields including username, email, password, and role. The endpoint lacks proper object-level authorization checks, enabling any authenticated user to query arbitrary user records by manipulating the ID parameter. By enumerating user IDs, the admin account (ID 2) was discovered and its credentials - including the flag stored in the password field - were successfully exfiltrated.
Key Issues:
- GraphQL introspection is enabled in production, exposing the full API schema to any user
- The
userquery accepts arbitrary ID values without validating ownership or permissions - Sensitive fields like
passwordare exposed directly through the API schema
Vulnerabilities Covered
- GraphQL Introspection Enabled
- IDOR (Insecure Direct Object Reference)
Classification
- OWASP Top 10: A01:2021 - Broken Access Control, A05:2021 - Security Misconfiguration
- Vulnerability Type: GraphQL Introspection Enabled, Insecure Direct Object Reference (IDOR)
- Attack Surface: GraphQL API endpoint with unrestricted schema access
- CWE: CWE-200 - Exposure of Sensitive Information, CWE-639 - Authorization Bypass Through User-Controlled Key
This post is licensed under CC BY 4.0 by the author.