the home site for me: also iteration 3 or 4 of my site
dunkirk.sh
1+++
2title = "Airbuds"
3date = 2024-12-16
4slug = "airbuds"
5description = "Trying to break their api."
6draft = true
7
8[taxonomies]
9tags = ["reverse engineering", "graphql"]
10+++
11
12Recently my cousin introduced me to the [Airbuds](https://airbuds.fm) app. Naturally I used it for a little bit. Slept a bit. And then booted up Proxypin to see if I could extract phone numbers from the app. With the base requests it appeared that I couldn't (:sadge:). I could get my phone number for my own profile however so I knew that it was likely stored in a user record somewhere (editor kieran: *umm yeah duh*). The more interesting part of this though was that it was a graphql api.
13
14<!-- more -->
15
16## Phase 2
17
18Now knowing that it had a graphql api I wanted to see if there was a way to reverse engineer it. I have had suprisingly little experience with them but doing some quick ducking revealed that they can potentially have introspection enabled allowing us to get a full schema of what we can get. That sounds awesome but hopefully from a security standpoint unlikely to be enabled.