Graphw00F – GraphQL fingerprinting tool for GQL endpoints

0/5 No votes

Report this app

Description

Graphw00F – GraphQL fingerprinting tool for GQL endpoints

Credit to Nick Aleks for the emblem!

How does it work?

graphw00f (impressed by wafw00f) is the GraphQL fingerprinting tool for GQL endpoints, it sends a mixture of benign and malformed queries to find out the GraphQL engine working behind the scenes. graphw00f will present insights into what safety defences every know-how supplies out of the field, and whether or not they’re on or off by default.

Specifically crafted queries trigger totally different GraphQL server implementations to reply uniquely to queries, mutations and subscriptions, this makes it trivial to fingerprint the backend engine and distinguish between the assorted GraphQL implementations.

Detections

graphw00f at the moment makes an attempt to find the next GraphQL engines:

  • Graphene – Python
  • Ariadne – Python
  • Apollo – TypeScript
  • graphql-go – Go
  • gqlgen – Go
  • WPGraphQL – PHP
  • GraphQL API for WordPress – PHP
  • Ruby – GraphQL
  • graphql-php – PHP
  • Hasura – Haskell
  • HyperGraphQL – Java
  • graphql-java – Java
  • Juniper – Rust
  • Sangria – Scala
  • Flutter – Dart
  • Diana.jl – Julia
  • Strawberry – Python
  • Tartiflette – Python

GraphQL Applied sciences Defence Matrices

Every fingerprinted know-how (e.g. Graphene, Ariadne, …) has an related doc (instance for graphene) which covers the safety defence mechanisms the particular know-how helps to present a greater concept how the implementation could also be attacked.

| Subject Recommendations | Question Depth Restrict | Question Value Evaluation | Computerized Persevered Queries | Introspection      | Debug Mode | Batch Requests  |
|-------------------|-------------------|---------------------|-----------------------------|--------------------|------------|-----------------|
| On by Default     | No Help        | No Help          | No Help                  | Enabled by Default | N/A        | Off by Default  |

Conditions

  • python3
  • requests

Set up

Clone Repository

git clone [email protected]:dolevf/graphw00f.git

Run graphw00f

python3 major.py -h

Utilization: major.py -h

Choices:
  -h, --help            present this assist message and exit
  -r, --noredirect      Don't comply with redirections given by 3xx responses
  -t URL, --target=URL  goal url with the trail
  -o OUTPUT_FILE, --output-file=OUTPUT_FILE
                        Output outcomes to a file (CSV)
  -l, --list            Record all GraphQL applied sciences graphw00f is ready to
                        detect
  -v, --version         Print out the present model and exit.

Instance

python3 major.py -t http://127.0.0.1:5000/graphql

                +-------------------+                 
                |     graphw00f     |                 
                +-------------------+                 
                  ***            ***                  
                **                  ***               
              **                       **             
    +--------------+              +--------------+       
    |    Node X    |              |    Node Y    |       
    +--------------+              +--------------+     
                  ***            ***                  
                     **        **                     
                       **    **                       
                    +------------+                      
                    |   Node Z   |                      
                    +------------+    

                graphw00f - v1.0.0
             The fingerprinting tool for GraphQL

[*] Checking if GraphQL is out there at https://demo.hypergraphql.org:8484/graphql...
[*] Discovered GraphQL...
[*] Making an attempt to fingerprint...
[*] Found GraphQL Engine: (HyperGraphQL)
[!] Assault Floor Matrix: https://github.com/dolevf/graphw00f/blob/main/docs/hypergraphql.md
[!] Applied sciences: Java
[!] Homepage: https://www.hypergraphql.org
[*] Accomplished.
📁 Download Mirror 1 📁 Download Mirror 2 📁 EXTERNAL MIRROR
📁 Download Mirror 1 📁 Download Mirror 2 📁 EXTERNAL MIRROR

Versions

Version Size Requirements Date

Comments closed.