Kali Linux

GraphQL Cop : Security Auditor Utility For GraphQL APIs

GraphQL Cop is a small Python utility to run common security tests against GraphQL APIs. GraphQL Cop is perfect for running CI/CD checks in GraphQL. It is lightweight, and covers interesting security issues in GraphQL.

GraphQL Cop allows you to reproduce the findings by providing cURL commands upon any identified vulnerabilities.

Requirements

  • Python3
  • Requests Library

Detections

  • Alias Overloading (DoS)
  • Batch Queries (DoS)
  • GET based Queries (CSRF)
  • GraphQL Tracing / Debug Modes (Info Leak)
  • Field Duplication (DoS)
  • Field Suggestions (Info Leak)
  • GraphiQL (Info Leak)
  • Introspection (Info Leak)
  • Directives Overloading (DoS)

Usage

$ python graphql-cop.py -h
Usage: graphql-cop.py -t http://example.com -o json
Options:
-h, –help show this help message and exit
-t URL, –target=URL target url with the path
-H HEADER, –header=HEADER
Append Header to the request ‘{“Authorization”:
“Bearer eyjt”}’
-o OUTPUT_JSON, –output=OUTPUT_JSON
Output results to stdout (JSON)
-x, –proxy Sends the request through http://127.0.0.1:8080 proxy
-v, –version Print out the current version and exit

Test a website

$ python3 graphql-cop.py -t https://mywebsite.com/graphql
GraphQL Cop 1.1
Security Auditor for GraphQL
Dolev Farhi & Nick Aleks
Starting…
[HIGH] Introspection Query Enabled (Information Leakage)
[LOW] GraphQL Playground UI (Information Leakage)
[HIGH] Alias Overloading with 100+ aliases is allowed (Denial of Service)
[HIGH] Queries are allowed with 1000+ of the same repeated field (Denial of Service)

Test a website, dump to a parse-able JSON output, cURL reproduction command

python3 main.py -t https://mywebsite.com/graphql -o json
{‘curl_verify’: ‘curl -X POST -H “User-Agent: graphql-cop/1.2” -H ‘
‘”Accept-Encoding: gzip, deflate” -H “Accept: /” -H ‘
‘”Connection: keep-alive” -H “Content-Length: 33” -H ‘
‘”Content-Type: application/json” -d \'{“query”: “query { ‘
‘__typename }”}\’ \’http://localhost:5013/graphql\”,
‘description’: ‘Tracing is Enabled’,
‘impact’: ‘Information Leakage’,
‘result’: False,
‘severity’: ‘INFO’,
‘title’: ‘Trace Mode’},
{‘curl_verify’: ‘curl -X POST -H “User-Agent: graphql-cop/1.2” -H ‘
‘”Accept-Encoding: gzip, deflate” -H “Accept: /” -H ‘
‘”Connection: keep-alive” -H “Content-Length: 64” -H ‘
‘”Content-Type: application/json” -d \'{“query”: “query { ‘
‘__typename @aa@aa@aa@aa@aa@aa@aa@aa@aa@aa }”}\’ ‘
“‘http://localhost:5013/graphql'”,
‘description’: ‘Multiple duplicated directives allowed in a query’,
‘impact’: ‘Denial of Service’,
‘result’: True,
‘severity’: ‘HIGH’,
‘title’: ‘Directive Overloading’}]

Test a website using graphql-cop through a proxy (e.g. Burp Suite) with custom headers (e.g. Authorization):

$ python3 graphql-cop.py -t https://mywebsite.com/graphql –proxy –header ‘{“Authorization”: “Bearer token_here”}’
GraphQL Cop 1.2
Security Auditor for GraphQL
Dolev Farhi & Nick Aleks
Starting…
[HIGH] Introspection Query Enabled (Information Leakage)
[LOW] GraphQL Playground UI (Information Leakage)
[HIGH] Alias Overloading with 100+ aliases is allowed (Denial of Service)
[HIGH] Queries are allowed with 1000+ of the same repeated field (Denial of Service)

R K

Recent Posts

Configure a Static IP Address on Ubuntu 18.04: Netplan Guide

Setting a static IP address on your server is a smart move. It ensures your…

1 hour ago

Install Xrdp on Ubuntu 18.04: Remote Desktop Setup Guide

Xrdp is an open-source implementation of the Microsoft Remote Desktop Protocol (RDP). It lets you access…

2 hours ago

Add and Delete Users on Ubuntu 18.04: A Practical Guide

Managing user accounts is one of the most basic system administration tasks on any Linux…

2 hours ago

Install Wine on Ubuntu 18.04: Run Windows Apps on Linux

Wine (short for "Wine Is Not an Emulator") is a compatibility layer that lets you run…

2 hours ago

Install KVM on Ubuntu 18.04: Setup, Network, and Create VMs

KVM (Kernel-based Virtual Machine) is an open-source virtualization technology built into the Linux kernel. It lets…

2 hours ago

Upgrade to Ubuntu 20.04 LTS: Prepare, Update, and Confirm

Ubuntu 20.04 LTS (code name Focal Fossa) was released on April 23, 2020. It is a…

1 day ago