Graphql-Threat-Matrix : GraphQL Threat Framework Used By Security Professionals

graphql-threat-matrix was built for bug bounty hunters, security researchers and hackers to assist with uncovering vulnerabilities across multiple GraphQL implementations.

The differences in how GraphQL implementations interpret and conform to the GraphQL specification may lead to security gaps and unique attack vectors. By analyzing and comparing the factors that drive the security risks across different implementations the GraphQL ecosystem can make safer deployment decisions as well as collectively advance the security maturity of all implementations.

Legend
✅  – Enabled by Default
⚠️  – Disabled by Default
❌  – No Support

Implementation	Validations	Field Suggestions	Query Depth limit	Query Cost Analysis	Automatic Persisted Queries	Introspection	Debug Mode	Batch Requests
wp-graphql	38	✅	⚠️	❌	❌	⚠️	⚠️	✅
graphql-php	37	✅	⚠️	⚠️	❌	✅	⚠️	⚠️
Apollo	34	✅	⚠️	⚠️	✅	✅	✅	✅
graphql-yoga	34	✅	⚠️	❌	❌	⚠️	⚠️	⚠️
graphene	34	✅	❌	❌	❌	✅	❌	⚠️
Ariadne	34	✅	⚠️	⚠️	❌	✅	⚠️	❌
Strawberry	34	✅	⚠️	❌	❌	✅	❌	❌
graphql-ruby	28	✅	❌	⚠️	⚠️	✅	❌	✅
Sangria	27	✅	⚠️	⚠️	❌	✅	❌	⚠️
Tartiflette	26	❌	❌	❌	❌	✅	❌	❌
graphql-java	26	✅	⚠️	⚠️	❌	✅	❌	⚠️
gqlgen	25	✅	❌	⚠️	⚠️	✅	⚠️	⚠️
Dgraph	25	✅	❌	❌	⚠️	✅	❌	❌
graphql-go	24	✅	❌	❌	❌	✅	⚠️	❌
juniper	24	❌	❌	❌	❌	✅	❌	⚠️
Diana.jl	10	✅	❌	❌	❌	✅	❌	❌
gql-dart/gql	9	✅	❌	❌	❌	✅	❌	❌
Agoo	1	❌	❌	❌	❌	✅	⚠️	❌

For Penetration Testers

Use graphw00f to fingerprint a target GraphQL API and determine the backend implementation.

Related

Graphw00F : GraphQL fingerprinting tool for GQL endpoints

September 22, 2021

In "Kali Linux"

Damn Vulnerable GraphQL Application

February 19, 2021

In "Kali Linux"

GraphQL Cop : Security Auditor Utility For GraphQL APIs

April 11, 2022

In "Kali Linux"

R K

Next PEzor-Docker : With The Help Of This Docker Image, You Can Easily Access PEzor On Your System! »

Previous « Malicious-Pdf : Generate A Bunch Of Malicious Pdf Files With Phone-Home Functionality

Leave a Comment

Share

Published by

R K

Tags: FrameworkGraphQLGraphql-Threat-MatrixSecurity Professionals

4 years ago

Recent Posts

How To

Bash Scripting Best Practices Every Beginner Should Know

Introduction Bash scripting is a powerful way to automate Linux tasks, but writing a script…

23 hours ago

How To

How To Create A Self-Signed SSL Certificate Using Bash And OpenSSL

Introduction A self-signed SSL certificate is a certificate that is created and signed by the…

1 day ago

How To

How To Debug Bash Scripts Using bash -x And set Commands

Introduction Debugging is an important part of Bash scripting. When a script does not work…

1 day ago

How To

How To Use Cron Jobs With Bash Scripts For Automation

Introduction Cron jobs are used in Linux to run commands or Bash scripts automatically at…

1 day ago

How To

How To Use Pipes In Bash Scripts For Command Chaining

Introduction Pipes are an important feature in Linux and Bash scripting. A pipe allows you…

1 day ago

How To

How To Use grep, awk, And sed In Bash Scripts

Introduction The grep, awk, and sed commands are powerful text-processing tools in Linux. They are…

1 day ago

L