Cody Brocious
Ethical Hacker,
Hacker 101,
HackerOne Community Blog

GraphQL Week on The Hacker101 Capture the Flag Challenges

GraphQL Week on The Hacker101 Capture the Flag Challenges

What do Netflix, Intuit, Facebook, PayPal, and HackerOne all have in common? All these companies, and many others, have adopted the GraphQL API query language.

Recently, we rolled out 3 separate GraphQL-based Hacker101 Capture the Flag challenges. These are valuable educational resources for hackers and developers alike, improving bug hunting capability and helping developers prevent security missteps when implementing GraphQL.

And perhaps the best part, you do not need prior experience with GraphQL to begin, but the levels do increase in difficulty!

Level 1: In this level, we introduce BugDB, our bug tracking system. You’ll learn how basic queries work here.

Level 2: Here we’ve patched some of the holes in the first version of BugDB and introduce the concept of mutations, allowing you to manipulate the database.

Level 3: Finally, we’ve upgraded BugDB to fix all the known issues and added file attachments, showing how GraphQL can interact with the rest of an application.

Join us in congratulating the hackers who were the first to solve these challenges!

First five solvers for level 1: rykkard, nessun00x, lightfoj, panya, rijalrojan
First five solvers for level 2: yashrs, dee-see, rykkard, panya, rohan_x3
First five solvers for level 3: abkarino, fersingb, kishanbagaria, panya, 5oda4n

Head over to ctf.Hacker101.com to begin testing your GraphQL hacking skills today.

Happy hacking!

Ps: The HackerOne Program Hacktivity page has a few bugs that have been discovered and disclosed related to GraphQL implementation (report #489146 in particular is a good one). Another hacktivity report is this fun one reported to Shopify during the h1-514 Live Hacking Event.