#Graphql
3 postsBugForge - Daily - Sokudo (Jun 26, 2026)
Sokudo's GraphQL API leaves introspection enabled, exposing the full schema. By dumping the schema, enumerating queries and mutations, and inspecting the ChampionshipResult type, an unprotected finalizeChampionship mutation was found that returned the prizeCode containing the flag…
Graphql
Posted on 2026-06-26 20:00 4 min read
BugForge - Daily - Sokudo (Jun 17, 2026)
Sokudo is a typing speed test application whose GraphQL API exposes an unrestricted users query. By enumerating the users collection and requesting sensitive fields, the admin account's password, containing the flag, was extracted…
Graphql
Posted on 2026-06-17 20:00 3 min read
BugForge - Daily - Ottergram (Jan 10, 2026)
The application exposes a GraphQL API with introspection enabled in production, allowing attackers to query the full API schema and discover sensitive…
Graphql Introspection IDOR Broken Access Control
Posted on 2026-01-10 20:00 5 min read