What do Netflix, Intuit, Facebook, PayPal, and HackerOne all have in common? All these companies, and many others, have adopted the GraphQL API query language.
Recently, we rolled out 3 separate GraphQL-based Hacker101 Capture the Flag challenges. These are valuable educational resources for hackers and developers alike, improving bug hunting capability and helping developers prevent security missteps when implementing GraphQL.
And perhaps the best part, you do not need prior experience with GraphQL to begin, but the levels do increase in difficulty!
Level 1: In this level, we introduce BugDB, our bug tracking system. You’ll learn how basic queries work here.
It’s #GraphQL week on the #Hacker101 CTF! Kicking it off today, we released a new level to get you started. Come check out BugDB v1 at https://t.co/J4V3AxJoi3 ?⚡️
— HackerOne (@Hacker0x01) July 1, 2019
Level 2: Here we’ve patched some of the holes in the first version of BugDB and introduce the concept of mutations, allowing you to manipulate the database.
Part two of #GraphQL week on the #Hacker101 CTF is out! You don’t need to be Professor X to figure this out, but a little mutation could really help. Check out BugDB v2 at https://t.co/J4V3AxJoi3 pic.twitter.com/PuVbowF22o
— HackerOne (@Hacker0x01) July 3, 2019
Level 3: Finally, we’ve upgraded BugDB to fix all the known issues and added file attachments, showing how GraphQL can interact with the rest of an application.
Looking for plans this weekend? We have the perfect challenge for you. To round out #GraphQL week on the #Hacker101 CTF, we ramped up the difficulty and released the third level. Learn new technology and show your skills at https://t.co/J4V3AxJoi3. pic.twitter.com/A7IaIX6YOL
— HackerOne (@Hacker0x01) July 5, 2019
Join us in congratulating the hackers who were the first to solve these challenges!
First five solvers for level 1: rykkard, nessun00x, lightfoj, panya, rijalrojan
First five solvers for level 2: yashrs, dee-see, rykkard, panya, rohan_x3
First five solvers for level 3: abkarino, fersingb, kishanbagaria, panya, 5oda4n
Head over to ctf.Hacker101.com to begin testing your GraphQL hacking skills today.
Happy hacking!
Ps: The HackerOne Program Hacktivity page has a few bugs that have been discovered and disclosed related to GraphQL implementation (report #489146 in particular is a good one). Another hacktivity report is this fun one reported to Shopify during the h1-514 Live Hacking Event.