graphw00f is Server Engine Fingerprinting utility for software security professionals looking to learn more about what technology is behind a given GraphQL endpoint.

Related tags

GraphQLgraphqlsecurityenumerationpenetration-testingfingerprintinginformation-gathering
Overview


graphw00f - GraphQL Server Fingerprinting

graphw00f (inspired by wafw00f) is the GraphQL fingerprinting tool for GQL endpoints.

Table of Contents

How does it work?

graphw00f is a Python utility which sends a mix of benign and malformed queries to determine the GraphQL engine running behind the scenes. graphw00f will provide insights into what security defences each technology provides out of the box, and whether they are on or off by default.

Specially crafted queries cause different GraphQL server implementations to respond uniquely to queries, mutations and subscriptions, this makes it trivial to fingerprint the backend engine and distinguish between the various GraphQL implementations. (CWE: CWE-200)

Detections

graphw00f currently attempts to discover the following GraphQL engines:

  • Graphene - Python
  • Ariadne - Python
  • Apollo - TypeScript
  • graphql-go - Go
  • gqlgen - Go
  • WPGraphQL - PHP
  • GraphQL API for Wordpress - PHP
  • Ruby - GraphQL
  • graphql-php - PHP
  • Hasura - Haskell
  • HyperGraphQL - Java
  • graphql-java - Java
  • Juniper - Rust
  • Sangria - Scala
  • Flutter - Dart
  • Diana.jl - Julia
  • Strawberry - Python
  • Tartiflette - Python

GraphQL Technologies Defence Matrices

Each fingerprinted technology (e.g. Graphene, Ariadne, ...) has an associated document (example for graphene) which covers the security defence mechanisms the specific technology supports to give a better idea how the implementation may be attacked.

| Field Suggestions | Query Depth Limit | Query Cost Analysis | Automatic Persisted Queries | Introspection      | Debug Mode | Batch Requests  |
|-------------------|-------------------|---------------------|-----------------------------|--------------------|------------|-----------------|
| On by Default     | No Support        | No Support          | No Support                  | Enabled by Default | N/A        | Off by Default  |

Prerequisites

  • python3
  • requests

Installation

Clone Repository

git clone [email protected]:dolevf/graphw00f.git

Run graphw00f

python3 main.py -h

Usage: main.py -h

Options:
  -h, --help            show this help message and exit
  -r, --noredirect      Do not follow redirections given by 3xx responses
  -t URL, --target=URL  target url with the path
  -o OUTPUT_FILE, --output-file=OUTPUT_FILE
                        Output results to a file (CSV)
  -l, --list            List all GraphQL technologies graphw00f is able to
                        detect
  -v, --version         Print out the current version and exit.

Example

python3 main.py -t http://127.0.0.1:5000/graphql

                +-------------------+                 
                |     graphw00f     |                 
                +-------------------+                 
                  ***            ***                  
                **                  ***               
              **                       **             
    +--------------+              +--------------+       
    |    Node X    |              |    Node Y    |       
    +--------------+              +--------------+     
                  ***            ***                  
                     **        **                     
                       **    **                       
                    +------------+                      
                    |   Node Z   |                      
                    +------------+    

                graphw00f - v1.0.0
          The fingerprinting tool for GraphQL
  
[*] Checking if GraphQL is available at https://demo.hypergraphql.org:8484/graphql...
[*] Found GraphQL...
[*] Attempting to fingerprint...
[*] Discovered GraphQL Engine: (HyperGraphQL)
[!] Attack Surface Matrix: https://github.com/dolevf/graphw00f/blob/main/docs/hypergraphql.md
[!] Technologies: Java
[!] Homepage: https://www.hypergraphql.org
[*] Completed.

Support and Issues

Any issues with graphw00f such as false positives, inaccurate detections, bugs, etc. please create a GitHub issue with environment details.

Resources

Want to learn more about GraphQL? head over to my other project and hack GraphQL away: Damn Vulnerable GraphQL Application

Comments
  • Fingerprinting crashes - possibly due to large Auth. Header?

    Fingerprinting crashes - possibly due to large Auth. Header?

    Hello @dolevf,

    I have been trying to fingerprint a graphql endpoint (sandboxed) for as part of a bug bounty program, but it keeps crashing:

    ~/graphw00f$ python main.py -f -t https://app.sandbox.xxxxxxxx.com/graphql

                +-------------------+
            |     graphw00f     |
            +-------------------+
              ***            ***
            **                  **
          **                      **
+--------------+              +--------------+
|    Node X    |              |    Node Y    |
+--------------+              +--------------+
              ***            ***
                 **        **
                   **    **
                +------------+
                |   Node Z   |
                +------------+

            graphw00f - v1.1.3
      The fingerprinting tool for GraphQL
       Dolev Farhi <[email protected]>

    [*] Checking if GraphQL is available at https://app.sandbox.xxxxxxxx.com/graphql... [!] Found GraphQL. [*] Attempting to fingerprint... Traceback (most recent call last): File "/home/andrew/graphw00f/main.py", line 153, in main() File "/home/andrew/graphw00f/main.py", line 129, in main result = g.execute(url) File "/home/andrew/graphw00f/graphw00f/lib.py", line 52, in execute elif self.engine_graphene(): File "/home/andrew/graphw00f/graphw00f/lib.py", line 147, in engine_graphene if error_contains(response, 'Syntax Error GraphQL (1:1)'): File "/home/andrew/graphw00f/graphw00f/helpers.py", line 32, in error_contains err_message = i.get(part, '') AttributeError: 'str' object has no attribute 'get'

    To get anything sensible out of this endpoint, large authorization tokens are required (token is length 992 chars) and I wondered if this might be the root cause (but I maybe wrong). I have been using the long API keys successfully with Altair and configured one of these in conf.py. graphw00f runs fine against a localhost graphql installation.

    Cheers.

    question 
    opened by Sorren1969 5
  • ariadne and strawberry have conflicting signatures

    ariadne and strawberry have conflicting signatures

    While testing on an Ariadne engine sending query @deprecated {__typename} returned Directive '@deprecated' may not be used on query. which is the signature for strawberry.

    bug 
    opened by MdotTIM 3
  • Clone in README

    Clone in README

    Using [email protected]:dolevf/graphw00f.git will give you permission denied, It's suppose to be https://github.com/dolevf/graphw00f.git , just change it in your README file or a lot of people will get confused.

    opened by gotr00t0day 2
  • Feature: custom authorization header

    Feature: custom authorization header

    Hi !

    Great project ! Is it possible (or is it planned) to add a custom header? I have a graphql app with an secure auth and I would need to add an authorization header in the request. Is it possible ?

    Thanks ! Trobyss'

    edit: I just find the conf.py :) it would be cool if it was specified in the readme

    documentation 
    opened by Trobyss 2
  • Create an Attack Surface Matrix Document for AWS AppSync

    Create an Attack Surface Matrix Document for AWS AppSync

    Graphw00f 1.0.8 has a new AWS AppSync fingerprint signature. It will be useful to create an attack surface matrix markdown file under docs/ for it to list the type of security features it offers and whether its vulnerable by default to GraphQL-ish things.

    documentation good first issue 
    opened by dolevf 1
  • feat: add AWS AppSync fingerprint

    feat: add AWS AppSync fingerprint

    Hello @dolevf,

    I work at Escape, a platform that helps developers find and fix the security flaws of their GraphQL endpoint, directly inside the CI-CD pipeline.

    Therefore, I am glad to contribute to your repository to make GraphQL safer, by providing a detection for Aws AppSync which is largely used in the ecosystem.

    Hope you will find it useful.

    Btw, checkout our free tool, graphql.security to run dozens of GraphQL security tests for free, in ten seconds and without any sign-in. Also, results are private and not stored.

    opened by c3b5aw 1
  • Added --proxy and --burp options.

    Added --proxy and --burp options.

    Added support for explicit proxy specification through requests' built in proxy support. As a result, you don't need to rely on system proxies or set environment variables :)

    Using --proxy specifies an explicit proxy location. Using --burp uses the default Burp Suite proxy: 127.0.0.1:8080.

    opened by zw00sh 4
  • pyproject.toml

    pyproject.toml

    opened by noraj 2
  • refactor: logging consistency

    refactor: logging consistency

    Address #20

    • refactor: print to logging module.
    • refactor: fstring over format (Graphw00f is targeting python3)
    • feat: logger.py that contains logger setup that we can later adjust.
    • chore: drop color class
    opened by c3b5aw 1
  • feat: publish as pypi package

    feat: publish as pypi package

    Address #18

    • feat: added CD workflow | Will create release/push to pypi on tag.
    • feat: pyproject file
    • refactor: version system
    • refactor: moved scripts assets into the main repository

    Instead of doing python main.py which is an anti pattern and not sustainable, you will be able to install using pip and call it like graphw00f .... You are also able to call it using python -m graphw00f from a local directory.

    To setup the local env using poetry, install poetry (pip install poetry) and then do poetry install poetry shell.

    opened by c3b5aw 0
Releases(1.1.8)
Owner
Dolev Farhi
Security Engineering
Dolev Farhi
GitHub Repository
Integrate GraphQL into your Django project.

Graphene-Django A Django integration for Graphene. 💬 Join the community on Slack Documentation Visit the documentation to get started! Quickstart For

GraphQL Python 4k Dec 31, 2022
MGE-GraphQL is a Python library for building GraphQL mutations fast and easily

MGE-GraphQL Introduction MGE-GraphQL is a Python library for building GraphQL mutations fast and easily. Data Validations: A similar data validation w

MGE Software 4 Apr 23, 2022
Enable idempotent operations in POST and PATCH endpoints

Idempotency Header ASGI Middleware A middleware for making POST and PATCH endpoints idempotent. The purpose of the middleware is to guarantee that exe

Sondre Lillebø Gundersen 12 Dec 28, 2022
Graphql-codegen library - a pure python implementation

turms DEVELOPMENT Inspiration Turms is a pure python implementation of the awesome graphql-codegen library, following a simliar extensible design. It

Johannes Roos 22 Dec 23, 2022
Lightning fast and portable programming language!

Photon Documentation in English Lightning fast and portable programming language! What is Photon? Photon is a programming language aimed at filling th

William 58 Dec 27, 2022
🔪 Facebook Messenger to email bridge based on reverse engineered auth and GraphQL APIs.

Unzuckify This repository has a small Python application which allows me to receive an email notification when somebody sends me a Facebook message. W

Radon Rosborough 33 Dec 18, 2022
Django registration and authentication with GraphQL.

Django GraphQL Auth Django registration and authentication with GraphQL. Demo About Abstract all the basic logic of handling user accounts out of your

pedrobern 301 Dec 09, 2022
This is a minimal project using graphene with django and user authentication to expose a graphql endpoint.

Welcome This is a minimal project using graphene with django and user authentication to expose a graphql endpoint. Definitely checkout how I have mana

yosef salmalian 1 Nov 18, 2021
Django GraphQL User Management

Django GraphQL User Management An app that explores User management with GraphQL using Graphene in Django. Topics covered: Login. Log Out. Authenticat

0101 Solutions 4 Feb 22, 2022
Gerenciar a velocidade da internet banda larga

Monitoramento da Velocidade da internet 📶 Status do Projeto: ✔️ (pronto) Tópicos ✍️ Descrição do projeto Funcionalidades Deploy da Aplicação Pré-requ

Bárbara Guerbas de Figueiredo 147 Nov 02, 2022
GraphQL security auditing script with a focus on performing batch GraphQL queries and mutations

BatchQL BatchQL is a GraphQL security auditing script with a focus on performing batch GraphQL queries and mutations. This script is not complex, and

Assetnote 267 Dec 24, 2022
A Python 3.6+ port of the GraphQL.js reference implementation of GraphQL.

GraphQL-core 3 GraphQL-core 3 is a Python 3.6+ port of GraphQL.js, the JavaScript reference implementation for GraphQL, a query language for APIs crea

GraphQL Python 458 Dec 13, 2022
Generate a FullStack Playground using GraphQL and FastAPI 🚀

FastQL - FastAPI GraphQL Playground Generate a FullStack playground using FastAPI and GraphQL and Ariadne 🚀 . This Repository is based on this Articl

OBytes 109 Dec 23, 2022
Blazing fast GraphQL endpoints finder using subdomain enumeration, scripts analysis and bruteforce.

Graphinder Graphinder is a tool that extracts all GraphQL endpoints from a given domain. Run with docker docker run -it -v $(pwd):/usr/bin/graphinder

Escape 76 Dec 28, 2022
tartiflette-aiohttp is a wrapper of aiohttp which includes the Tartiflette GraphQL Engine, do not hesitate to take a look of the Tartiflette project.

tartiflette-aiohttp is a wrapper of aiohttp which includes the Tartiflette GraphQL Engine. You can take a look at the Tartiflette API documentation. U

tartiflette 60 Nov 08, 2022
Adds GraphQL support to your Flask application.

Flask-GraphQL Adds GraphQL support to your Flask application. Usage Just use the GraphQLView view from flask_graphql from flask import Flask from flas

GraphQL Python 1.3k Dec 31, 2022
GraphQL framework for Python

Graphene 💬 Join the community on Slack We are looking for contributors! Please check the ROADMAP to see how you can help ❤️ The below readme is the d

GraphQL Python 7.5k Jan 01, 2023
GraphQL framework for Python

Graphene 💬 Join the community on Slack We are looking for contributors! Please check the ROADMAP to see how you can help ❤️ The below readme is the d

GraphQL Python 7.5k Jan 01, 2023
An unofficial Blender add-on for Autodesk's Arnold render engine.

Arnold for Blender Arnold for Blender (or BtoA) provides a bridge to the Arnold renderer from within Blender's standard interface. BtoA is an unoffici

Luna Digital, Ltd. 89 Dec 28, 2022
GraphQL is a query language and execution engine tied to any backend service.

GraphQL The GraphQL specification is edited in the markdown files found in /spec the latest release of which is published at https://graphql.github.io

GraphQL 14k Jan 01, 2023