Breach
Breach's team collaboration platform. Some content is restricted to admins — but is the enforcement as tight as it looks?
The Scenario
Breach is an internal collaboration tool where teams share notes and documents. The developers implemented access controls, but the architecture has layers — and not all of them agree on who can see what.
Challenge Intel
Synopsis
A medium GraphQL lab where access controls are enforced inconsistently across the schema.
What It Is
Breach's collaboration platform layers authorization on top of a GraphQL API, but the rules don't apply uniformly to every path through the schema. The intended gating works for the common case and quietly fails elsewhere. A good workout in GraphQL authorization testing and object-level access review.
Who It's For
Mid-level testers familiar with GraphQL who want to drill authorization bypasses.
Skills You'll Practice
- GraphQL authorization testing
- Object and field-level access review
- Mapping schema paths against documented rules
- Identifying inconsistent enforcement surfaces
- Constructing queries that bypass UI-level gates
What You'll Gain
- Practical experience finding broken access control in GraphQL
- A mental model for auditing layered authorization schemes
- Stronger instincts for where enforcement gaps hide
- Report-ready examples of real-world authorization failures