So, I wrote an hackme lab for GraphQL web apps :)
Hackmegraph(QL) is a vulnerable GraphQL web application for security researchers.
The objective in this lab is to escalate your privileges from an anonymous user to Remote Code Execution.
The lab contains multiple vulnerabillities & common mistakes in GraphQL implementation that you’ll exploit in order to get to the RCE part. Once you’re able to run whoami
on the vulnerable app, you completed the challenge
The lab, with build instructions & all the info is available at the hackmegraph repo.