graphw00f is Server Engine Fingerprinting utility for software security professionals looking to learn more about what technology is behind a given GraphQL endpoint.

Related tags

GraphQLgraphqlsecurityenumerationpenetration-testingfingerprintinginformation-gathering
Overview


graphw00f - GraphQL Server Fingerprinting

graphw00f (inspired by wafw00f) is the GraphQL fingerprinting tool for GQL endpoints.

Table of Contents

How does it work?

graphw00f is a Python utility which sends a mix of benign and malformed queries to determine the GraphQL engine running behind the scenes. graphw00f will provide insights into what security defences each technology provides out of the box, and whether they are on or off by default.

Specially crafted queries cause different GraphQL server implementations to respond uniquely to queries, mutations and subscriptions, this makes it trivial to fingerprint the backend engine and distinguish between the various GraphQL implementations. (CWE: CWE-200)

Detections

graphw00f currently attempts to discover the following GraphQL engines:

  • Graphene - Python
  • Ariadne - Python
  • Apollo - TypeScript
  • graphql-go - Go
  • gqlgen - Go
  • WPGraphQL - PHP
  • GraphQL API for Wordpress - PHP
  • Ruby - GraphQL
  • graphql-php - PHP
  • Hasura - Haskell
  • HyperGraphQL - Java
  • graphql-java - Java
  • Juniper - Rust
  • Sangria - Scala
  • Flutter - Dart
  • Diana.jl - Julia
  • Strawberry - Python
  • Tartiflette - Python

GraphQL Technologies Defence Matrices

Each fingerprinted technology (e.g. Graphene, Ariadne, ...) has an associated document (example for graphene) which covers the security defence mechanisms the specific technology supports to give a better idea how the implementation may be attacked.

| Field Suggestions | Query Depth Limit | Query Cost Analysis | Automatic Persisted Queries | Introspection      | Debug Mode | Batch Requests  |
|-------------------|-------------------|---------------------|-----------------------------|--------------------|------------|-----------------|
| On by Default     | No Support        | No Support          | No Support                  | Enabled by Default | N/A        | Off by Default  |

Prerequisites

  • python3
  • requests

Installation

Clone Repository

git clone [email protected]:dolevf/graphw00f.git

Run graphw00f

python3 main.py -h

Usage: main.py -h

Options:
  -h, --help            show this help message and exit
  -r, --noredirect      Do not follow redirections given by 3xx responses
  -t URL, --target=URL  target url with the path
  -o OUTPUT_FILE, --output-file=OUTPUT_FILE
                        Output results to a file (CSV)
  -l, --list            List all GraphQL technologies graphw00f is able to
                        detect
  -v, --version         Print out the current version and exit.

Example

python3 main.py -t http://127.0.0.1:5000/graphql

                +-------------------+                 
                |     graphw00f     |                 
                +-------------------+                 
                  ***            ***                  
                **                  ***               
              **                       **             
    +--------------+              +--------------+       
    |    Node X    |              |    Node Y    |       
    +--------------+              +--------------+     
                  ***            ***                  
                     **        **                     
                       **    **                       
                    +------------+                      
                    |   Node Z   |                      
                    +------------+    

                graphw00f - v1.0.0
          The fingerprinting tool for GraphQL
  
[*] Checking if GraphQL is available at https://demo.hypergraphql.org:8484/graphql...
[*] Found GraphQL...
[*] Attempting to fingerprint...
[*] Discovered GraphQL Engine: (HyperGraphQL)
[!] Attack Surface Matrix: https://github.com/dolevf/graphw00f/blob/main/docs/hypergraphql.md
[!] Technologies: Java
[!] Homepage: https://www.hypergraphql.org
[*] Completed.

Support and Issues

Any issues with graphw00f such as false positives, inaccurate detections, bugs, etc. please create a GitHub issue with environment details.

Resources

Want to learn more about GraphQL? head over to my other project and hack GraphQL away: Damn Vulnerable GraphQL Application

Comments
  • Fingerprinting crashes - possibly due to large Auth. Header?

    Fingerprinting crashes - possibly due to large Auth. Header?

    Hello @dolevf,

    I have been trying to fingerprint a graphql endpoint (sandboxed) for as part of a bug bounty program, but it keeps crashing:

    ~/graphw00f$ python main.py -f -t https://app.sandbox.xxxxxxxx.com/graphql

                +-------------------+
            |     graphw00f     |
            +-------------------+
              ***            ***
            **                  **
          **                      **
+--------------+              +--------------+
|    Node X    |              |    Node Y    |
+--------------+              +--------------+
              ***            ***
                 **        **
                   **    **
                +------------+
                |   Node Z   |
                +------------+

            graphw00f - v1.1.3
      The fingerprinting tool for GraphQL
       Dolev Farhi <[email protected]>

    [*] Checking if GraphQL is available at https://app.sandbox.xxxxxxxx.com/graphql... [!] Found GraphQL. [*] Attempting to fingerprint... Traceback (most recent call last): File "/home/andrew/graphw00f/main.py", line 153, in main() File "/home/andrew/graphw00f/main.py", line 129, in main result = g.execute(url) File "/home/andrew/graphw00f/graphw00f/lib.py", line 52, in execute elif self.engine_graphene(): File "/home/andrew/graphw00f/graphw00f/lib.py", line 147, in engine_graphene if error_contains(response, 'Syntax Error GraphQL (1:1)'): File "/home/andrew/graphw00f/graphw00f/helpers.py", line 32, in error_contains err_message = i.get(part, '') AttributeError: 'str' object has no attribute 'get'

    To get anything sensible out of this endpoint, large authorization tokens are required (token is length 992 chars) and I wondered if this might be the root cause (but I maybe wrong). I have been using the long API keys successfully with Altair and configured one of these in conf.py. graphw00f runs fine against a localhost graphql installation.

    Cheers.

    question 
    opened by Sorren1969 5
  • ariadne and strawberry have conflicting signatures

    ariadne and strawberry have conflicting signatures

    While testing on an Ariadne engine sending query @deprecated {__typename} returned Directive '@deprecated' may not be used on query. which is the signature for strawberry.

    bug 
    opened by MdotTIM 3
  • Clone in README

    Clone in README

    Using [email protected]:dolevf/graphw00f.git will give you permission denied, It's suppose to be https://github.com/dolevf/graphw00f.git , just change it in your README file or a lot of people will get confused.

    opened by gotr00t0day 2
  • Feature: custom authorization header

    Feature: custom authorization header

    Hi !

    Great project ! Is it possible (or is it planned) to add a custom header? I have a graphql app with an secure auth and I would need to add an authorization header in the request. Is it possible ?

    Thanks ! Trobyss'

    edit: I just find the conf.py :) it would be cool if it was specified in the readme

    documentation 
    opened by Trobyss 2
  • Create an Attack Surface Matrix Document for AWS AppSync

    Create an Attack Surface Matrix Document for AWS AppSync

    Graphw00f 1.0.8 has a new AWS AppSync fingerprint signature. It will be useful to create an attack surface matrix markdown file under docs/ for it to list the type of security features it offers and whether its vulnerable by default to GraphQL-ish things.

    documentation good first issue 
    opened by dolevf 1
  • feat: add AWS AppSync fingerprint

    feat: add AWS AppSync fingerprint

    Hello @dolevf,

    I work at Escape, a platform that helps developers find and fix the security flaws of their GraphQL endpoint, directly inside the CI-CD pipeline.

    Therefore, I am glad to contribute to your repository to make GraphQL safer, by providing a detection for Aws AppSync which is largely used in the ecosystem.

    Hope you will find it useful.

    Btw, checkout our free tool, graphql.security to run dozens of GraphQL security tests for free, in ten seconds and without any sign-in. Also, results are private and not stored.

    opened by c3b5aw 1
  • Added --proxy and --burp options.

    Added --proxy and --burp options.

    Added support for explicit proxy specification through requests' built in proxy support. As a result, you don't need to rely on system proxies or set environment variables :)

    Using --proxy specifies an explicit proxy location. Using --burp uses the default Burp Suite proxy: 127.0.0.1:8080.

    opened by zw00sh 4
  • pyproject.toml

    pyproject.toml

    opened by noraj 2
  • refactor: logging consistency

    refactor: logging consistency

    Address #20

    • refactor: print to logging module.
    • refactor: fstring over format (Graphw00f is targeting python3)
    • feat: logger.py that contains logger setup that we can later adjust.
    • chore: drop color class
    opened by c3b5aw 1
  • feat: publish as pypi package

    feat: publish as pypi package

    Address #18

    • feat: added CD workflow | Will create release/push to pypi on tag.
    • feat: pyproject file
    • refactor: version system
    • refactor: moved scripts assets into the main repository

    Instead of doing python main.py which is an anti pattern and not sustainable, you will be able to install using pip and call it like graphw00f .... You are also able to call it using python -m graphw00f from a local directory.

    To setup the local env using poetry, install poetry (pip install poetry) and then do poetry install poetry shell.

    opened by c3b5aw 0
Releases(1.1.8)
Owner
Dolev Farhi
Security Engineering
Dolev Farhi
GitHub Repository
GraphQL framework for Python

Graphene 💬 Join the community on Slack We are looking for contributors! Please check the ROADMAP to see how you can help ❤️ The below readme is the d

GraphQL Python 7.5k Jan 01, 2023
GraphQL Engine built with Python 3.6+ / asyncio

Tartiflette is a GraphQL Server implementation built with Python 3.6+. Summary Motivation Status Usage Installation Installation dependencies Tartifle

tartiflette 839 Dec 31, 2022
Lavrigon - A Python Webservice to check the status of any given local service via a REST call

lavrigon A Python Webservice to check the status of any given local service via

3 Jan 02, 2022
Adds GraphQL support to your Flask application.

Flask-GraphQL Adds GraphQL support to your Flask application. Usage Just use the GraphQLView view from flask_graphql from flask import Flask from flas

GraphQL Python 1.3k Dec 31, 2022
RPyC (Remote Python Call) - A transparent and symmetric RPC library for python

RPyC (pronounced like are-pie-see), or Remote Python Call, is a transparent library for symmetrical remote procedure calls, clustering, and distribute

1.3k Jan 05, 2023
Django GraphQL To Do List Application

Django GraphQL Simple ToDo HOW TO RUN just run the following instructions: python -m venv venv pip install -r requirements.txt source venv/bin/activat

pedram shahsafi 1 Nov 13, 2021
Modular, cohesive, transparent and fast web server template

kingdom-python-server 🐍 Modular, transparent, batteries (half) included, lightning fast web server. Features a functional, isolated business layer wi

T10 20 Feb 08, 2022
Graphene MongoEngine integration

Graphene-Mongo A Mongoengine integration for Graphene. Installation For installing graphene-mongo, just run this command in your shell pip install gra

GraphQL Python 261 Dec 31, 2022
This is a simple Python that will parse instanceStats GraphQL Query into a CSV

GraphQL Python Labs - by Gabs the CSE Table of Contents About The Project Getting Started Prerequisites Installation and Usage Roadmap Contributing Li

Gabriel (Gabs) Cerioni 1 Oct 27, 2021
A Python 3.6+ port of the GraphQL.js reference implementation of GraphQL.

GraphQL-core 3 GraphQL-core 3 is a Python 3.6+ port of GraphQL.js, the JavaScript reference implementation for GraphQL, a query language for APIs crea

GraphQL Python 458 Dec 13, 2022
Ariadne is a Python library for implementing GraphQL servers using schema-first approach.

Ariadne Ariadne is a Python library for implementing GraphQL servers. Schema-first: Ariadne enables Python developers to use schema-first approach to

Mirumee Labs 1.9k Jan 01, 2023
Lightning fast and portable programming language!

Photon Documentation in English Lightning fast and portable programming language! What is Photon? Photon is a programming language aimed at filling th

William 58 Dec 27, 2022
tartiflette-aiohttp is a wrapper of aiohttp which includes the Tartiflette GraphQL Engine, do not hesitate to take a look of the Tartiflette project.

tartiflette-aiohttp is a wrapper of aiohttp which includes the Tartiflette GraphQL Engine. You can take a look at the Tartiflette API documentation. U

tartiflette 60 Nov 08, 2022
A small command-line tool for interacting with GQL APIs

igqloo A small tool for interacting with GQL APIs Arguments, mutations, aliases are all supported. Other features, such as fragments, are left unsuppo

Joshua Mottaz 7 Dec 20, 2021
Django Project with Rest and Graphql API's

Django-Rest-and-Graphql # 1. Django Project Setup With virtual environment: mkdir {project_name}. To install virtual Environment sudo apt-get install

Shubham Agrawal 5 Nov 22, 2022
A Django GraphQL Starter that uses graphene and graphene_django to interface GraphQL.

Django GraphQL Starter GraphQL is a query language for APIs and a runtime for fulfilling those queries with your existing data... According to the doc

0101 Solutions 1 Jan 10, 2022
(Now finding maintainer) 🐍A Pythonic way to provide JWT authentication for Flask-GraphQL

Flask-GraphQL-Auth What is Flask-GraphQL-Auth? Flask-GraphQL-Auth is JWT decorator for flask-graphql inspired from Flask-JWT-Extended. all you have to

Seonghyeon Kim 64 Feb 19, 2022
A python graphql api, which serves ECB currency rates from last 90 days.

Exchange Rate Api using GraphQL Get Code git pull https://github.com/alaturqua/exchangerate-graphql.git Create .env file with following content and s

Isa 1 Nov 04, 2021
Integrate GraphQL with your Pydantic models

graphene-pydantic A Pydantic integration for Graphene. Installation pip install "graphene-pydantic" Examples Here is a simple Pydantic model: import u

GraphQL Python 179 Jan 02, 2023
Support for Apollo's Automatic Persisted Queries in Strawberry GraphQL 🍓

strawberry-apollo-apq Supporting Apollo's automatic persisted queries in Strawberry GraphQL 🍓 Notes Don't use this for production yet, unless you kno

Bas 3 May 17, 2022