HackQL is an intentially vulnerable e-commerce application that makes use of GraphQL. A playground for hacking, learning, and teaching others on GraphQL-related vulnerabilities.
| Layer | Technology |
|---|---|
| Frontend | Vue 3, Vite, Apollo Client |
| Backend | Node.js, Apollo Server, Prisma ORM |
| Database | SQLite (with Prisma) |
| Containerization | Docker & Docker Compose |
| Auth | JWT-based Authentication |
git clone https://github.com/yourusername/hackql.git
cd hackql- Install Docker
- After Installation:
docker compose up -d --build- Access HackQL at:
http://localhost:5173/
If Burp Suite isn't intercepting traffic to your local web application (localhost or 127.0.0.1), it's usually due to built-in browser security settings that bypass the proxy for loopback addresses.
- Essential Proxy Setup Checklist
- Ensure Burp Suite is running and your browser is pointed to it:
- Burp Listener: Go to Proxy
$\rightarrow$ Options. Verify a Listener is running on 127.0.0.1 and the correct port (default: 8080). - Browser Proxy: Configure your browser (manually or via a tool) to use 127.0.0.1 and the Burp port.
- No Proxy List: Check your browser's proxy settings and ensure the "No Proxy For" list does NOT contain localhost or 127.0.0.1.
- Firefox changes:
- Firefox ignores the proxy for loopback addresses by default, even if you set it manually.
- In the Firefox address bar, type:
about:config - Search for the setting:
network.proxy.allow_hijacking_localhost - Click the Toggle button to change its value from
falsetotrue.