A PortSwigger security lab demonstrates a classic API vulnerability where a GraphQL endpoint exposes sensitive user data. Attackers exploit a user management function to reveal administrator credentials. The lab requires signing in as the administrator and deleting a specific user, showcasing how improper access controls can lead to full system compromise.

The attack begins with reconnaissance. By intercepting a failed login request, a tester identifies the `/graphql` endpoint. Even without a successful login, the schema remains accessible because Introspection queries are enabled. This configuration error allows attackers to map the entire API structure using tools like the InQL extension, revealing every available query and data field.

Once the schema is mapped, the exploit is straightforward. The attacker discovers the `getUser` query exposes sensitive fields like `username` and `password`. Constructing a simple query for the administrator's ID returns the plaintext credentials. This accidental field exposure highlights a critical flaw: the API returns more data than intended, bypassing front-end protections entirely.

To complete the lab, the tester uses the stolen credentials to log in and delete the target account. This exercise underscores the necessity of disabling Introspection in production environments. Developers must enforce strict server-side authorization checks to ensure users can only access data explicitly permitted for their role, regardless of what the API schema allows.