The API security training prepares you for the Certified API Security Professional (CASP) course, a vendor-neutral APIsec certification designed to assess an IT professional’s API security expertise

Common Questions:

Q1: How did we know what parameters (id, grade, comments, user, name, email) go into grades?

A: In a real attack scenario, attackers wouldn't necessarily know the specific parameters (id, grade, comments, etc.) upfront.  They might employ various techniques like fuzzing, network sniffing, or potentially even finding leaked API documentation to discover these parameters.  This exercise demonstrates exploiting a GraphQL API endpoint to understand its structure and potentially infer some parameters, but it's not the only method attackers use. Please note, it's important to understand that real-world attackers employ a wider range of techniques to discover vulnerabilities.

Q2: how do we know the schema of updatepassword has id, password, name and email

A: If you're curious about where to find the data schema, you can use the following command to retrieve the complete schema:

curl -X POST -H "Content-Type: application/json" -d '{"query": "{ __schema { types { name fields { name type { name kind } } } } }"}' https://sandbox-YourMachineID.lab.practical-devsecops.training/graphql | jq

It will return the following output, where you will be able to identify using the command mentioned on the exercise:

{
  "data": {
    "__schema": {
      "types": [
        {

[SNIP]
      {
              "name": "password",
              "type": {
                "name": "String",
                "kind": "SCALAR"
              }
            },

[SNIP]
      {
          "name": "Mutation",
          "fields": [
            {
              "name": "updateUserPassword",
              "type": {
                "name": "User",
                "kind": "OBJECT"
              }
            },

[SNIP]