.png)
3 days ago
17 BOOK THIS SPACE FOR AD
ARTICLE AD
Hacking has always been my passion, giving me an adrenaline rush during late nights.
Through this post, I would like to share an unlucky hacking story that I came across.
The story begins with me discovering a .git folder exposure on a website. After researching further, I found a tool called Git Dumper
🔗 Git Dumper
which helps in extracting the Git repository from a website.
I successfully dumped the files.
It was a PHP-based site, and I started looking for sensitive secrets or passwords among the files. Finally, I came across db.config.php, which contained connectivity details to a database, including the DB host, username, and password.
I immediately drafted an email and sent it to the concerned people.
I received a reply stating:
“There is no database at all in our framework. It must be some junk file left by a developer.”
I was really disappointed. With great disappointment, I closed my laptop and went to sleep.
But I couldn’t sleep at all. If they had made such a simple mistake, there was a good chance they had made even bigger ones. This thought rejuvenated me.
I started again, late into the night.
I registered on their site and logged in. I could find that they are using GraphQL. But I dont know anything about graphQL Studying more about graphQL gave me some sort of idea on how it worked. There i came across a term introspection query.
GraphQL Introspection Query is a feature built into the GraphQL specification that allows clients to query the schema of a GraphQL server. By executing an introspection query, a client can retrieve detailed information about the types, fields, arguments, and other schema elements supported by the server. This information is useful for generating documentation, building client-side tools, or dynamically exploring the API’s structure.
But for a hacker all these are vital information which can be misused, Introspection query sometimes returns unused internal API details as well , which can lead…
Bengali (Bangladesh) · 
English (United States) ·