Kali
Clairvoyance is a game-changer for GraphQL API developers. This tool gets the GraphQL API schema from sites where introspection is turned off and displays it in a user-friendly JSON format. Learn how to install it, how to use it in more advanced ways, and how to get help from a dedicated team of contributors. You’ll …
Continue reading “Clairvoyance – Unmasking Hidden GraphQL Schemas”
Graphicator is a GraphQL “scraper” / extractor. The tool iterates over the introspection document returned by the targeted GraphQL endpoint, and then re-structures the schema in an internal form so it can re-create the supported queries. When such queries are created is using them to send requests to the endpoint and saves the returned response …
Continue reading “Graphicator : A GraphQL Enumeration And Extraction Tool”
Graph Crawler is the most powerful automated testing toolkit for any GraphQL endpoint. Version 1.2 is out NEW: Can search for endpoints for you using Escape Technology’s powerful Graphinder tool. Just point it towards a domain and add the ‘-e’ option and Graphinder will do subdomain enumeration + search popular directories for GraphQL endpoints. After all this …
Continue reading “GraphCrawler : GraphQL Automated Security Testing Toolkit”
graphql-threat-matrix was built for bug bounty hunters, security researchers and hackers to assist with uncovering vulnerabilities across multiple GraphQL implementations. The differences in how GraphQL implementations interpret and conform to the GraphQL specification may lead to security gaps and unique attack vectors. By analyzing and comparing the factors that drive the security risks across different implementations …
Continue reading “Graphql-Threat-Matrix : GraphQL Threat Framework Used By Security Professionals”
BatchQL is a GraphQL security auditing script with a focus on performing batch GraphQL queries and mutations. This script is not complex, and we welcome improvements. When exploring the problem space of GraphQL batching attacks, we found that there were a few blog posts on the internet, however no tool to perform GraphQL batching attacks. …
Graphw00F (inspired by wafw00f) is the GraphQL fingerprinting tool for GQL endpoints, it sends a mix of benign and malformed queries to determine the GraphQL engine running behind the scenes. graphw00f will provide insights into what security defences each technology provides out of the box, and whether they are on or off by default. Specially crafted …
Continue reading “Graphw00F : GraphQL fingerprinting tool for GQL endpoints”
GraphQLmap is a scripting engine to interact with a graphql endpoint for pentesting purposes. Install $ git clone https://github.com/swisskyrepo/GraphQLmap$ python graphqlmap.py_/ | | | / _ | | | | _ _ _ _ _ _ | |_ | | | | | _ _ _ _ _ _ | | | | ‘/ | …
Damn Vulnerable GraphQL Application is an intentionally vulnerable implementation of Facebook’s GraphQL technology, to learn and practice GraphQL Security. About DVGA Damn Vulnerable GraphQL is a deliberately weak and insecure implementation of GraphQL that provides a safe environment to attack a GraphQL application, allowing developers and IT professionals to test for vulnerabilities. DVGA has numerous …
InQL is a security testing tool to facilitate GraphQL technology security auditing efforts. InQL can be used as a stand-alone script or as a Burp Suite extension. InQL Stand-Alone CLI Running inql from Python will issue an Introspection query to the target GraphQL endpoint in order fetch metadata information for: Queries, mutations, subscriptions Its fields …
Continue reading “InQL : A Burp Extension For GraphQL Security Testing”
A security testing tool to facilitate GraphQL technology security auditing efforts. InQL can be used as a stand-alone script, or as a Burp Suite extension. Running inql from Python will issue an Introspection query to the target GraphQL endpoint in order fetch metadata information for: Queries, mutations, subscriptions Its fields and arguments Objects and custom …
Continue reading “InQL – A Burp Extension for GraphQL Security Testing”
.png)
.png)
