GraphQL Cop is a small Python utility to run common security tests against GraphQL APIs. GraphQL Cop is perfect for running CI/CD checks in GraphQL. It is lightweight, and covers interesting security issues in GraphQL.
GraphQL Cop allows you to reproduce the findings by providing cURL commands upon any identified vulnerabilities.
$ python graphql-cop.py -h
Usage: graphql-cop.py -t http://example.com -o json
Options:
-h, –help show this help message and exit
-t URL, –target=URL target url with the path
-H HEADER, –header=HEADER
Append Header to the request ‘{“Authorization”:
“Bearer eyjt”}’
-o OUTPUT_JSON, –output=OUTPUT_JSON
Output results to stdout (JSON)
-x, –proxy Sends the request through http://127.0.0.1:8080 proxy
-v, –version Print out the current version and exit
Test a website
$ python3 graphql-cop.py -t https://mywebsite.com/graphql
GraphQL Cop 1.1
Security Auditor for GraphQL
Dolev Farhi & Nick Aleks
Starting…
[HIGH] Introspection Query Enabled (Information Leakage)
[LOW] GraphQL Playground UI (Information Leakage)
[HIGH] Alias Overloading with 100+ aliases is allowed (Denial of Service)
[HIGH] Queries are allowed with 1000+ of the same repeated field (Denial of Service)
Test a website, dump to a parse-able JSON output, cURL reproduction command
python3 main.py -t https://mywebsite.com/graphql -o json
{‘curl_verify’: ‘curl -X POST -H “User-Agent: graphql-cop/1.2” -H ‘
‘”Accept-Encoding: gzip, deflate” -H “Accept: /” -H ‘
‘”Connection: keep-alive” -H “Content-Length: 33” -H ‘
‘”Content-Type: application/json” -d \'{“query”: “query { ‘
‘__typename }”}\’ \’http://localhost:5013/graphql\”,
‘description’: ‘Tracing is Enabled’,
‘impact’: ‘Information Leakage’,
‘result’: False,
‘severity’: ‘INFO’,
‘title’: ‘Trace Mode’},
{‘curl_verify’: ‘curl -X POST -H “User-Agent: graphql-cop/1.2” -H ‘
‘”Accept-Encoding: gzip, deflate” -H “Accept: /” -H ‘
‘”Connection: keep-alive” -H “Content-Length: 64” -H ‘
‘”Content-Type: application/json” -d \'{“query”: “query { ‘
‘__typename @aa@aa@aa@aa@aa@aa@aa@aa@aa@aa }”}\’ ‘
“‘http://localhost:5013/graphql'”,
‘description’: ‘Multiple duplicated directives allowed in a query’,
‘impact’: ‘Denial of Service’,
‘result’: True,
‘severity’: ‘HIGH’,
‘title’: ‘Directive Overloading’}]
Test a website using graphql-cop
through a proxy (e.g. Burp Suite) with custom headers (e.g. Authorization):
$ python3 graphql-cop.py -t https://mywebsite.com/graphql –proxy –header ‘{“Authorization”: “Bearer token_here”}’
GraphQL Cop 1.2
Security Auditor for GraphQL
Dolev Farhi & Nick Aleks
Starting…
[HIGH] Introspection Query Enabled (Information Leakage)
[LOW] GraphQL Playground UI (Information Leakage)
[HIGH] Alias Overloading with 100+ aliases is allowed (Denial of Service)
[HIGH] Queries are allowed with 1000+ of the same repeated field (Denial of Service)
Kali Linux 2024.4, the final release of 2024, brings a wide range of updates and…
This Go program applies a lifetime patch to PowerShell to disable ETW (Event Tracing for…
GPOHunter is a comprehensive tool designed to analyze and identify security misconfigurations in Active Directory…
Across small-to-medium enterprises (SMEs) and managed service providers (MSPs), the top priority for cybersecurity leaders…
The free and open-source security platform SecHub, provides a central API to test software with…
Don't worry if there are any bugs in the tool, we will try to fix…