Schematic
Schematic Inc's internal product dashboard. The frontend shows you what they want you to see — what's behind it?
The Scenario
Schematic Inc built a slick dashboard for their team. Everything looks polished on the surface, but the API powering it might expose more than the UI lets on. Dig deeper.
Challenge Intel
Synopsis
A beginner GraphQL lab where the UI and the underlying schema disagree about what's visible.
What It Is
Schematic Inc's dashboard is a polished frontend talking to a GraphQL API that exposes far more of its shape than the interface ever renders. Standard schema-introspection and exploratory querying quickly reveal capabilities the product team never meant to ship publicly. A clean entry point into GraphQL-focused testing.
Who It's For
Newcomers to GraphQL security who want an approachable first lab.
Skills You'll Practice
- GraphQL schema introspection
- Reading a type system for sensitive fields
- Exploratory query construction
- Comparing UI surface area to API surface area
- Using GraphQL tooling effectively
What You'll Gain
- A confident first GraphQL solve on a realistic target
- Working vocabulary for GraphQL-specific vulnerability classes
- A repeatable introspection-first audit workflow
- Momentum to tackle harder GraphQL authorization labs