graphw00f is Server Engine Fingerprinting utility for software security professionals looking to learn more about what technology is behind a given GraphQL endpoint.

Related tags

GraphQLgraphqlsecurityenumerationpenetration-testingfingerprintinginformation-gathering
Overview


graphw00f - GraphQL Server Fingerprinting

graphw00f (inspired by wafw00f) is the GraphQL fingerprinting tool for GQL endpoints.

Table of Contents

How does it work?

graphw00f is a Python utility which sends a mix of benign and malformed queries to determine the GraphQL engine running behind the scenes. graphw00f will provide insights into what security defences each technology provides out of the box, and whether they are on or off by default.

Specially crafted queries cause different GraphQL server implementations to respond uniquely to queries, mutations and subscriptions, this makes it trivial to fingerprint the backend engine and distinguish between the various GraphQL implementations. (CWE: CWE-200)

Detections

graphw00f currently attempts to discover the following GraphQL engines:

  • Graphene - Python
  • Ariadne - Python
  • Apollo - TypeScript
  • graphql-go - Go
  • gqlgen - Go
  • WPGraphQL - PHP
  • GraphQL API for Wordpress - PHP
  • Ruby - GraphQL
  • graphql-php - PHP
  • Hasura - Haskell
  • HyperGraphQL - Java
  • graphql-java - Java
  • Juniper - Rust
  • Sangria - Scala
  • Flutter - Dart
  • Diana.jl - Julia
  • Strawberry - Python
  • Tartiflette - Python

GraphQL Technologies Defence Matrices

Each fingerprinted technology (e.g. Graphene, Ariadne, ...) has an associated document (example for graphene) which covers the security defence mechanisms the specific technology supports to give a better idea how the implementation may be attacked.

| Field Suggestions | Query Depth Limit | Query Cost Analysis | Automatic Persisted Queries | Introspection      | Debug Mode | Batch Requests  |
|-------------------|-------------------|---------------------|-----------------------------|--------------------|------------|-----------------|
| On by Default     | No Support        | No Support          | No Support                  | Enabled by Default | N/A        | Off by Default  |

Prerequisites

  • python3
  • requests

Installation

Clone Repository

git clone [email protected]:dolevf/graphw00f.git

Run graphw00f

python3 main.py -h

Usage: main.py -h

Options:
  -h, --help            show this help message and exit
  -r, --noredirect      Do not follow redirections given by 3xx responses
  -t URL, --target=URL  target url with the path
  -o OUTPUT_FILE, --output-file=OUTPUT_FILE
                        Output results to a file (CSV)
  -l, --list            List all GraphQL technologies graphw00f is able to
                        detect
  -v, --version         Print out the current version and exit.

Example

python3 main.py -t http://127.0.0.1:5000/graphql

                +-------------------+                 
                |     graphw00f     |                 
                +-------------------+                 
                  ***            ***                  
                **                  ***               
              **                       **             
    +--------------+              +--------------+       
    |    Node X    |              |    Node Y    |       
    +--------------+              +--------------+     
                  ***            ***                  
                     **        **                     
                       **    **                       
                    +------------+                      
                    |   Node Z   |                      
                    +------------+    

                graphw00f - v1.0.0
          The fingerprinting tool for GraphQL
  
[*] Checking if GraphQL is available at https://demo.hypergraphql.org:8484/graphql...
[*] Found GraphQL...
[*] Attempting to fingerprint...
[*] Discovered GraphQL Engine: (HyperGraphQL)
[!] Attack Surface Matrix: https://github.com/dolevf/graphw00f/blob/main/docs/hypergraphql.md
[!] Technologies: Java
[!] Homepage: https://www.hypergraphql.org
[*] Completed.

Support and Issues

Any issues with graphw00f such as false positives, inaccurate detections, bugs, etc. please create a GitHub issue with environment details.

Resources

Want to learn more about GraphQL? head over to my other project and hack GraphQL away: Damn Vulnerable GraphQL Application

Comments
  • Fingerprinting crashes - possibly due to large Auth. Header?

    Fingerprinting crashes - possibly due to large Auth. Header?

    Hello @dolevf,

    I have been trying to fingerprint a graphql endpoint (sandboxed) for as part of a bug bounty program, but it keeps crashing:

    ~/graphw00f$ python main.py -f -t https://app.sandbox.xxxxxxxx.com/graphql

                +-------------------+
            |     graphw00f     |
            +-------------------+
              ***            ***
            **                  **
          **                      **
+--------------+              +--------------+
|    Node X    |              |    Node Y    |
+--------------+              +--------------+
              ***            ***
                 **        **
                   **    **
                +------------+
                |   Node Z   |
                +------------+

            graphw00f - v1.1.3
      The fingerprinting tool for GraphQL
       Dolev Farhi <[email protected]>

    [*] Checking if GraphQL is available at https://app.sandbox.xxxxxxxx.com/graphql... [!] Found GraphQL. [*] Attempting to fingerprint... Traceback (most recent call last): File "/home/andrew/graphw00f/main.py", line 153, in main() File "/home/andrew/graphw00f/main.py", line 129, in main result = g.execute(url) File "/home/andrew/graphw00f/graphw00f/lib.py", line 52, in execute elif self.engine_graphene(): File "/home/andrew/graphw00f/graphw00f/lib.py", line 147, in engine_graphene if error_contains(response, 'Syntax Error GraphQL (1:1)'): File "/home/andrew/graphw00f/graphw00f/helpers.py", line 32, in error_contains err_message = i.get(part, '') AttributeError: 'str' object has no attribute 'get'

    To get anything sensible out of this endpoint, large authorization tokens are required (token is length 992 chars) and I wondered if this might be the root cause (but I maybe wrong). I have been using the long API keys successfully with Altair and configured one of these in conf.py. graphw00f runs fine against a localhost graphql installation.

    Cheers.

    question 
    opened by Sorren1969 5
  • ariadne and strawberry have conflicting signatures

    ariadne and strawberry have conflicting signatures

    While testing on an Ariadne engine sending query @deprecated {__typename} returned Directive '@deprecated' may not be used on query. which is the signature for strawberry.

    bug 
    opened by MdotTIM 3
  • Clone in README

    Clone in README

    Using [email protected]:dolevf/graphw00f.git will give you permission denied, It's suppose to be https://github.com/dolevf/graphw00f.git , just change it in your README file or a lot of people will get confused.

    opened by gotr00t0day 2
  • Feature: custom authorization header

    Feature: custom authorization header

    Hi !

    Great project ! Is it possible (or is it planned) to add a custom header? I have a graphql app with an secure auth and I would need to add an authorization header in the request. Is it possible ?

    Thanks ! Trobyss'

    edit: I just find the conf.py :) it would be cool if it was specified in the readme

    documentation 
    opened by Trobyss 2
  • Create an Attack Surface Matrix Document for AWS AppSync

    Create an Attack Surface Matrix Document for AWS AppSync

    Graphw00f 1.0.8 has a new AWS AppSync fingerprint signature. It will be useful to create an attack surface matrix markdown file under docs/ for it to list the type of security features it offers and whether its vulnerable by default to GraphQL-ish things.

    documentation good first issue 
    opened by dolevf 1
  • feat: add AWS AppSync fingerprint

    feat: add AWS AppSync fingerprint

    Hello @dolevf,

    I work at Escape, a platform that helps developers find and fix the security flaws of their GraphQL endpoint, directly inside the CI-CD pipeline.

    Therefore, I am glad to contribute to your repository to make GraphQL safer, by providing a detection for Aws AppSync which is largely used in the ecosystem.

    Hope you will find it useful.

    Btw, checkout our free tool, graphql.security to run dozens of GraphQL security tests for free, in ten seconds and without any sign-in. Also, results are private and not stored.

    opened by c3b5aw 1
  • Added --proxy and --burp options.

    Added --proxy and --burp options.

    Added support for explicit proxy specification through requests' built in proxy support. As a result, you don't need to rely on system proxies or set environment variables :)

    Using --proxy specifies an explicit proxy location. Using --burp uses the default Burp Suite proxy: 127.0.0.1:8080.

    opened by zw00sh 4
  • pyproject.toml

    pyproject.toml

    opened by noraj 2
  • refactor: logging consistency

    refactor: logging consistency

    Address #20

    • refactor: print to logging module.
    • refactor: fstring over format (Graphw00f is targeting python3)
    • feat: logger.py that contains logger setup that we can later adjust.
    • chore: drop color class
    opened by c3b5aw 1
  • feat: publish as pypi package

    feat: publish as pypi package

    Address #18

    • feat: added CD workflow | Will create release/push to pypi on tag.
    • feat: pyproject file
    • refactor: version system
    • refactor: moved scripts assets into the main repository

    Instead of doing python main.py which is an anti pattern and not sustainable, you will be able to install using pip and call it like graphw00f .... You are also able to call it using python -m graphw00f from a local directory.

    To setup the local env using poetry, install poetry (pip install poetry) and then do poetry install poetry shell.

    opened by c3b5aw 0
Releases(1.1.8)
Owner
Dolev Farhi
Security Engineering
Dolev Farhi
GitHub Repository
Modular, cohesive, transparent and fast web server template

kingdom-python-server 🐍 Modular, transparent, batteries (half) included, lightning fast web server. Features a functional, isolated business layer wi

T10 20 Feb 08, 2022
GraphQL Engine built with Python 3.6+ / asyncio

Tartiflette is a GraphQL Server implementation built with Python 3.6+. Summary Motivation Status Usage Installation Installation dependencies Tartifle

tartiflette 839 Dec 31, 2022
ReplAPI.it A Simple and Complete Replit API Package

Notice: Currently this project is just a framework. It does not work yet. If you want to get updated when 1.0.0 is released, then click Watch - Custo

The ReplAPI.it Project 10 Jun 05, 2022
Adds GraphQL support to your Flask application.

Flask-GraphQL Adds GraphQL support to your Flask application. Usage Just use the GraphQLView view from flask_graphql from flask import Flask from flas

GraphQL Python 1.3k Dec 31, 2022
Fastapi strawberry graphql

fastapi-strawberry-graphql Quick and dirty 🍓 python python --version Python 3.10 pip pip install sqlalchemy pip install sqlmodel pip install fastapi

Rodrigo Ney 7 Oct 19, 2022
(Now finding maintainer) 🐍A Pythonic way to provide JWT authentication for Flask-GraphQL

Flask-GraphQL-Auth What is Flask-GraphQL-Auth? Flask-GraphQL-Auth is JWT decorator for flask-graphql inspired from Flask-JWT-Extended. all you have to

Seonghyeon Kim 64 Feb 19, 2022
Django registration and authentication with GraphQL.

Django GraphQL Auth Django registration and authentication with GraphQL. Demo About Abstract all the basic logic of handling user accounts out of your

pedrobern 301 Dec 09, 2022
Python script to like all posts from a selected Anilist profile

AniLiker: A python autoliker What's the point of this project? This project was a way to learn GraphQL, and also create a project that I've been inter

Iván Pérez 9 Nov 25, 2022
MGE-GraphQL is a Python library for building GraphQL mutations fast and easily

MGE-GraphQL Introduction MGE-GraphQL is a Python library for building GraphQL mutations fast and easily. Data Validations: A similar data validation w

MGE Software 4 Apr 23, 2022
An unofficial Blender add-on for Autodesk's Arnold render engine.

Arnold for Blender Arnold for Blender (or BtoA) provides a bridge to the Arnold renderer from within Blender's standard interface. BtoA is an unoffici

Luna Digital, Ltd. 89 Dec 28, 2022
GraphQL framework for Python

Graphene 💬 Join the community on Slack We are looking for contributors! Please check the ROADMAP to see how you can help ❤️ The below readme is the d

GraphQL Python 7.5k Jan 01, 2023
Burp Suite extension to log GraphQL operations as a comment

Burp GraphQL Logger A very simple, straightforward extension that logs GraphQL operations as a comment in the Proxy view. To enable the highlight, unc

22 Jul 02, 2022
This is a graphql api build using ariadne python that serves a graphql-endpoint at port 3002 to perform language translation and identification using deep learning in python pytorch.

Language Translation and Identification this machine/deep learning api that will be served as a graphql-api using ariadne, to perform the following ta

crispengari 2 Dec 30, 2021
Enable idempotent operations in POST and PATCH endpoints

Idempotency Header ASGI Middleware A middleware for making POST and PATCH endpoints idempotent. The purpose of the middleware is to guarantee that exe

Sondre Lillebø Gundersen 12 Dec 28, 2022
Integrate GraphQL with your Pydantic models

graphene-pydantic A Pydantic integration for Graphene. Installation pip install "graphene-pydantic" Examples Here is a simple Pydantic model: import u

GraphQL Python 179 Jan 02, 2023
Blazing fast GraphQL endpoints finder using subdomain enumeration, scripts analysis and bruteforce.

Graphinder Graphinder is a tool that extracts all GraphQL endpoints from a given domain. Run with docker docker run -it -v $(pwd):/usr/bin/graphinder

Escape 76 Dec 28, 2022
Gerenciar a velocidade da internet banda larga

Monitoramento da Velocidade da internet 📶 Status do Projeto: ✔️ (pronto) Tópicos ✍️ Descrição do projeto Funcionalidades Deploy da Aplicação Pré-requ

Bárbara Guerbas de Figueiredo 147 Nov 02, 2022
Tyk Open Source API Gateway written in Go, supporting REST, GraphQL, TCP and gRPC protocols

Tyk API Gateway Tyk is an open source Enterprise API Gateway, supporting REST, GraphQL, TCP and gRPC protocols. Tyk Gateway is provided ‘Batteries-inc

Tyk Technologies 8k Jan 09, 2023
Ariadne is a Python library for implementing GraphQL servers using schema-first approach.

Ariadne Ariadne is a Python library for implementing GraphQL servers. Schema-first: Ariadne enables Python developers to use schema-first approach to

Mirumee Labs 1.9k Jan 01, 2023
GraphQL framework for Python

Graphene 💬 Join the community on Slack We are looking for contributors! Please check the ROADMAP to see how you can help ❤️ The below readme is the d

GraphQL Python 7.5k Jan 01, 2023