graphw00f is Server Engine Fingerprinting utility for software security professionals looking to learn more about what technology is behind a given GraphQL endpoint.

Related tags

GraphQLgraphqlsecurityenumerationpenetration-testingfingerprintinginformation-gathering
Overview


graphw00f - GraphQL Server Fingerprinting

graphw00f (inspired by wafw00f) is the GraphQL fingerprinting tool for GQL endpoints.

Table of Contents

How does it work?

graphw00f is a Python utility which sends a mix of benign and malformed queries to determine the GraphQL engine running behind the scenes. graphw00f will provide insights into what security defences each technology provides out of the box, and whether they are on or off by default.

Specially crafted queries cause different GraphQL server implementations to respond uniquely to queries, mutations and subscriptions, this makes it trivial to fingerprint the backend engine and distinguish between the various GraphQL implementations. (CWE: CWE-200)

Detections

graphw00f currently attempts to discover the following GraphQL engines:

  • Graphene - Python
  • Ariadne - Python
  • Apollo - TypeScript
  • graphql-go - Go
  • gqlgen - Go
  • WPGraphQL - PHP
  • GraphQL API for Wordpress - PHP
  • Ruby - GraphQL
  • graphql-php - PHP
  • Hasura - Haskell
  • HyperGraphQL - Java
  • graphql-java - Java
  • Juniper - Rust
  • Sangria - Scala
  • Flutter - Dart
  • Diana.jl - Julia
  • Strawberry - Python
  • Tartiflette - Python

GraphQL Technologies Defence Matrices

Each fingerprinted technology (e.g. Graphene, Ariadne, ...) has an associated document (example for graphene) which covers the security defence mechanisms the specific technology supports to give a better idea how the implementation may be attacked.

| Field Suggestions | Query Depth Limit | Query Cost Analysis | Automatic Persisted Queries | Introspection      | Debug Mode | Batch Requests  |
|-------------------|-------------------|---------------------|-----------------------------|--------------------|------------|-----------------|
| On by Default     | No Support        | No Support          | No Support                  | Enabled by Default | N/A        | Off by Default  |

Prerequisites

  • python3
  • requests

Installation

Clone Repository

git clone [email protected]:dolevf/graphw00f.git

Run graphw00f

python3 main.py -h

Usage: main.py -h

Options:
  -h, --help            show this help message and exit
  -r, --noredirect      Do not follow redirections given by 3xx responses
  -t URL, --target=URL  target url with the path
  -o OUTPUT_FILE, --output-file=OUTPUT_FILE
                        Output results to a file (CSV)
  -l, --list            List all GraphQL technologies graphw00f is able to
                        detect
  -v, --version         Print out the current version and exit.

Example

python3 main.py -t http://127.0.0.1:5000/graphql

                +-------------------+                 
                |     graphw00f     |                 
                +-------------------+                 
                  ***            ***                  
                **                  ***               
              **                       **             
    +--------------+              +--------------+       
    |    Node X    |              |    Node Y    |       
    +--------------+              +--------------+     
                  ***            ***                  
                     **        **                     
                       **    **                       
                    +------------+                      
                    |   Node Z   |                      
                    +------------+    

                graphw00f - v1.0.0
          The fingerprinting tool for GraphQL
  
[*] Checking if GraphQL is available at https://demo.hypergraphql.org:8484/graphql...
[*] Found GraphQL...
[*] Attempting to fingerprint...
[*] Discovered GraphQL Engine: (HyperGraphQL)
[!] Attack Surface Matrix: https://github.com/dolevf/graphw00f/blob/main/docs/hypergraphql.md
[!] Technologies: Java
[!] Homepage: https://www.hypergraphql.org
[*] Completed.

Support and Issues

Any issues with graphw00f such as false positives, inaccurate detections, bugs, etc. please create a GitHub issue with environment details.

Resources

Want to learn more about GraphQL? head over to my other project and hack GraphQL away: Damn Vulnerable GraphQL Application

Comments
  • Fingerprinting crashes - possibly due to large Auth. Header?

    Fingerprinting crashes - possibly due to large Auth. Header?

    Hello @dolevf,

    I have been trying to fingerprint a graphql endpoint (sandboxed) for as part of a bug bounty program, but it keeps crashing:

    ~/graphw00f$ python main.py -f -t https://app.sandbox.xxxxxxxx.com/graphql

                +-------------------+
            |     graphw00f     |
            +-------------------+
              ***            ***
            **                  **
          **                      **
+--------------+              +--------------+
|    Node X    |              |    Node Y    |
+--------------+              +--------------+
              ***            ***
                 **        **
                   **    **
                +------------+
                |   Node Z   |
                +------------+

            graphw00f - v1.1.3
      The fingerprinting tool for GraphQL
       Dolev Farhi <[email protected]>

    [*] Checking if GraphQL is available at https://app.sandbox.xxxxxxxx.com/graphql... [!] Found GraphQL. [*] Attempting to fingerprint... Traceback (most recent call last): File "/home/andrew/graphw00f/main.py", line 153, in main() File "/home/andrew/graphw00f/main.py", line 129, in main result = g.execute(url) File "/home/andrew/graphw00f/graphw00f/lib.py", line 52, in execute elif self.engine_graphene(): File "/home/andrew/graphw00f/graphw00f/lib.py", line 147, in engine_graphene if error_contains(response, 'Syntax Error GraphQL (1:1)'): File "/home/andrew/graphw00f/graphw00f/helpers.py", line 32, in error_contains err_message = i.get(part, '') AttributeError: 'str' object has no attribute 'get'

    To get anything sensible out of this endpoint, large authorization tokens are required (token is length 992 chars) and I wondered if this might be the root cause (but I maybe wrong). I have been using the long API keys successfully with Altair and configured one of these in conf.py. graphw00f runs fine against a localhost graphql installation.

    Cheers.

    question 
    opened by Sorren1969 5
  • ariadne and strawberry have conflicting signatures

    ariadne and strawberry have conflicting signatures

    While testing on an Ariadne engine sending query @deprecated {__typename} returned Directive '@deprecated' may not be used on query. which is the signature for strawberry.

    bug 
    opened by MdotTIM 3
  • Clone in README

    Clone in README

    Using [email protected]:dolevf/graphw00f.git will give you permission denied, It's suppose to be https://github.com/dolevf/graphw00f.git , just change it in your README file or a lot of people will get confused.

    opened by gotr00t0day 2
  • Feature: custom authorization header

    Feature: custom authorization header

    Hi !

    Great project ! Is it possible (or is it planned) to add a custom header? I have a graphql app with an secure auth and I would need to add an authorization header in the request. Is it possible ?

    Thanks ! Trobyss'

    edit: I just find the conf.py :) it would be cool if it was specified in the readme

    documentation 
    opened by Trobyss 2
  • Create an Attack Surface Matrix Document for AWS AppSync

    Create an Attack Surface Matrix Document for AWS AppSync

    Graphw00f 1.0.8 has a new AWS AppSync fingerprint signature. It will be useful to create an attack surface matrix markdown file under docs/ for it to list the type of security features it offers and whether its vulnerable by default to GraphQL-ish things.

    documentation good first issue 
    opened by dolevf 1
  • feat: add AWS AppSync fingerprint

    feat: add AWS AppSync fingerprint

    Hello @dolevf,

    I work at Escape, a platform that helps developers find and fix the security flaws of their GraphQL endpoint, directly inside the CI-CD pipeline.

    Therefore, I am glad to contribute to your repository to make GraphQL safer, by providing a detection for Aws AppSync which is largely used in the ecosystem.

    Hope you will find it useful.

    Btw, checkout our free tool, graphql.security to run dozens of GraphQL security tests for free, in ten seconds and without any sign-in. Also, results are private and not stored.

    opened by c3b5aw 1
  • Added --proxy and --burp options.

    Added --proxy and --burp options.

    Added support for explicit proxy specification through requests' built in proxy support. As a result, you don't need to rely on system proxies or set environment variables :)

    Using --proxy specifies an explicit proxy location. Using --burp uses the default Burp Suite proxy: 127.0.0.1:8080.

    opened by zw00sh 4
  • pyproject.toml

    pyproject.toml

    opened by noraj 2
  • refactor: logging consistency

    refactor: logging consistency

    Address #20

    • refactor: print to logging module.
    • refactor: fstring over format (Graphw00f is targeting python3)
    • feat: logger.py that contains logger setup that we can later adjust.
    • chore: drop color class
    opened by c3b5aw 1
  • feat: publish as pypi package

    feat: publish as pypi package

    Address #18

    • feat: added CD workflow | Will create release/push to pypi on tag.
    • feat: pyproject file
    • refactor: version system
    • refactor: moved scripts assets into the main repository

    Instead of doing python main.py which is an anti pattern and not sustainable, you will be able to install using pip and call it like graphw00f .... You are also able to call it using python -m graphw00f from a local directory.

    To setup the local env using poetry, install poetry (pip install poetry) and then do poetry install poetry shell.

    opened by c3b5aw 0
Releases(1.1.8)
Owner
Dolev Farhi
Security Engineering
Dolev Farhi
GitHub Repository
Ariadne is a Python library for implementing GraphQL servers using schema-first approach.

Ariadne Ariadne is a Python library for implementing GraphQL servers. Schema-first: Ariadne enables Python developers to use schema-first approach to

Mirumee Labs 1.9k Jan 01, 2023
A Django GraphQL Starter that uses graphene and graphene_django to interface GraphQL.

Django GraphQL Starter GraphQL is a query language for APIs and a runtime for fulfilling those queries with your existing data... According to the doc

0101 Solutions 1 Jan 10, 2022
This is a simple Python that will parse instanceStats GraphQL Query into a CSV

GraphQL Python Labs - by Gabs the CSE Table of Contents About The Project Getting Started Prerequisites Installation and Usage Roadmap Contributing Li

Gabriel (Gabs) Cerioni 1 Oct 27, 2021
RPyC (Remote Python Call) - A transparent and symmetric RPC library for python

RPyC (pronounced like are-pie-see), or Remote Python Call, is a transparent library for symmetrical remote procedure calls, clustering, and distribute

1.3k Jan 05, 2023
tartiflette-aiohttp is a wrapper of aiohttp which includes the Tartiflette GraphQL Engine, do not hesitate to take a look of the Tartiflette project.

tartiflette-aiohttp is a wrapper of aiohttp which includes the Tartiflette GraphQL Engine. You can take a look at the Tartiflette API documentation. U

tartiflette 60 Nov 08, 2022
(Now finding maintainer) 🐍A Pythonic way to provide JWT authentication for Flask-GraphQL

Flask-GraphQL-Auth What is Flask-GraphQL-Auth? Flask-GraphQL-Auth is JWT decorator for flask-graphql inspired from Flask-JWT-Extended. all you have to

Seonghyeon Kim 64 Feb 19, 2022
Tyk Open Source API Gateway written in Go, supporting REST, GraphQL, TCP and gRPC protocols

Tyk API Gateway Tyk is an open source Enterprise API Gateway, supporting REST, GraphQL, TCP and gRPC protocols. Tyk Gateway is provided ‘Batteries-inc

Tyk Technologies 8k Jan 09, 2023
Generate daily updated visualizations of user and repository statistics from the GitHub API using GitHub Actions

Generate daily updated visualizations of user and repository statistics from the GitHub API using GitHub Actions for any combination of private and public repositories - dark mode supported

Adam Ross 15 Dec 31, 2022
Modular, cohesive, transparent and fast web server template

kingdom-python-server 🐍 Modular, transparent, batteries (half) included, lightning fast web server. Features a functional, isolated business layer wi

T10 20 Feb 08, 2022
graphw00f is Server Engine Fingerprinting utility for software security professionals looking to learn more about what technology is behind a given GraphQL endpoint.

graphw00f - GraphQL Server Fingerprinting graphw00f (inspired by wafw00f) is the GraphQL fingerprinting tool for GQL endpoints. Table of Contents How

Dolev Farhi 282 Jan 04, 2023
Translate APIs described by OpenAPI Specifications (OAS) into GraphQL

OpenAPI-to-GraphQL Translate APIs described by OpenAPI Specifications (OAS) or Swagger into GraphQL. Getting started OpenAPI-to-GraphQL can be used in

International Business Machines 1.4k Dec 29, 2022
Generate a FullStack Playground using GraphQL and FastAPI 🚀

FastQL - FastAPI GraphQL Playground Generate a FullStack playground using FastAPI and GraphQL and Ariadne 🚀 . This Repository is based on this Articl

OBytes 109 Dec 23, 2022
Fastapi strawberry graphql

fastapi-strawberry-graphql Quick and dirty 🍓 python python --version Python 3.10 pip pip install sqlalchemy pip install sqlmodel pip install fastapi

Rodrigo Ney 7 Oct 19, 2022
Getting the ip of a fivem server with a cfx.re link

Dark Utilities - FIVEM-IP-RESOLVER Our Website https://omega-project.cz/ ! Install the app on the server Inplex-sys 12 Oct 25, 2022

This is a minimal project using graphene with django and user authentication to expose a graphql endpoint.

Welcome This is a minimal project using graphene with django and user authentication to expose a graphql endpoint. Definitely checkout how I have mana

yosef salmalian 1 Nov 18, 2021
Blazing fast GraphQL endpoints finder using subdomain enumeration, scripts analysis and bruteforce.

Graphinder Graphinder is a tool that extracts all GraphQL endpoints from a given domain. Run with docker docker run -it -v $(pwd):/usr/bin/graphinder

Escape 76 Dec 28, 2022
A Python 3.6+ port of the GraphQL.js reference implementation of GraphQL.

GraphQL-core 3 GraphQL-core 3 is a Python 3.6+ port of GraphQL.js, the JavaScript reference implementation for GraphQL, a query language for APIs crea

GraphQL Python 458 Dec 13, 2022
Django GraphQL To Do List Application

Django GraphQL Simple ToDo HOW TO RUN just run the following instructions: python -m venv venv pip install -r requirements.txt source venv/bin/activat

pedram shahsafi 1 Nov 13, 2021
An unofficial Blender add-on for Autodesk's Arnold render engine.

Arnold for Blender Arnold for Blender (or BtoA) provides a bridge to the Arnold renderer from within Blender's standard interface. BtoA is an unoffici

Luna Digital, Ltd. 89 Dec 28, 2022
Python script to like all posts from a selected Anilist profile

AniLiker: A python autoliker What's the point of this project? This project was a way to learn GraphQL, and also create a project that I've been inter

Iván Pérez 9 Nov 25, 2022