Clearance
CliniCore's patient timeline exposes a GraphQL variable that was meant for internal use only. One query tweak reveals notes that receptionist accounts should never see.
The Scenario
CliniCore shipped a GraphQL API to power their new timeline feature. A viewerRole variable was added during development to allow the admin panel to preview how different roles see patient data. It was never removed from the production schema. A receptionist account with routine access to the system is all you need.
Challenge Intel
Synopsis
GraphQL timeline query accepts viewerRole from the client — set it to 'doctor' to unlock restricted clinical notes.
What It Is
The /graphql endpoint serves a patientTimeline query that takes (patientId: ID!, viewerRole: String!) as variables. The resolver checks viewerRole from the query variables — not from the session — to decide whether to include restricted notes in the response. The player is logged in as a receptionist and can see Hendricks J. in the patient list. Changing viewerRole to 'doctor' in the GraphQL request returns the restricted note containing the flag.
Who It's For
Players comfortable with Burp Suite or browser devtools who want to learn IDOR in a GraphQL context.
Skills You'll Practice
- Intercepting and modifying GraphQL requests
- Understanding role-based access control failures in GraphQL resolvers
- Identifying client-controllable authorization parameters
What You'll Gain
- How RBAC bugs appear in GraphQL variable handling
- Why server-side session state must always be the authority for role checks
- GraphQL-specific IDOR patterns beyond simple ID enumeration