The Breach challenge on WebVerse Labs exposes a GraphQL API backing a notes application. The notes are visible in the UI, but a GraphQL schema often has surfaces the front-end never touches. Map what's really there, and find a way to reach the flag.
Objective: Identify that the application makes a POST request to a GraphQL endpoint and understand the structure of the initial query being sent.
Context: Navigate to the Breach challenge at https://webverselabs-pro.com/. The app presents a Notes Feed with public notes. Use your browser's DevTools (Network tab) or a proxy like Burp Suite to observe background traffic as the page loads.
Only reveal the ones you need. Claude tracks how many you used to calibrate the feedback.
Watch the network traffic in your browser DevTools or Burp Suite when the Notes Feed page loads. Look for an API call that retrieves the notes.
The app is using GraphQL. Intercept the POST request to the `/graphql` endpoint and inspect the query body. Notice how the `notes` field uses an argument to control what data is returned.
The POST request goes to `POST /graphql HTTP/2` on `4d665099-3953-breach-969c5.challenges.webverselabs-pro.com`. The query body is: `{ "query": "{\n notes(includePrivate:false){\n id title content authorId isPrivate\n }\n}" }` — note that `notes` takes an `includePrivate` boolean argument.
Chat with a spoiler-safe tutor for this step. It uses only this lab spec and gives the smallest useful nudge first.
Tell the tutor what you tried, where you got stuck, or paste the response/error you are seeing.
Enjoying Hintru? Buy me a coffee ☕ ☕