GraphQL Cop is a small Python utility to run common security tests against GraphQL APIs. GraphQL Cop is perfect for running CI/CD checks in GraphQL. It is lightweight, and covers interesting security issues in GraphQL.
GraphQL Cop allows you to reproduce the findings by providing cURL commands upon any identified vulnerabilities.
Requirements
Python3
Requests Library
Detections
Alias Overloading (DoS)
Batch Queries (DoS)
GET based Queries (CSRF)
POST based Queries using urlencoded payloads (CSRF)
GraphQL Tracing / Debug Modes (Info Leak)
Field Duplication (DoS)
Field Suggestions (Info Leak)
GraphiQL (Info Leak)
Introspection (Info Leak)
Directives Overloading (DoS)
Circular Query using Introspection (DoS)
Mutation support over GET methods (CSRF)
Usage
$ python graphql-cop.py -h
Usage: graphql-cop.py -t http://example.com -o json
Options:
-h, --help show this help message and exit
-t URL, --target=URL target url with the path
-H HEADER, --header=HEADER
Append Header to the request '{"Authorization":
"Bearer eyjt"}'
-o OUTPUT_JSON, --output=OUTPUT_JSON
Output results to stdout (JSON)
-x, --proxy Sends the request through http://127.0.0.1:8080 proxy
-v, --version Print out the current version and exit
Test a website
$ python3 graphql-cop.py -t https://mywebsite.com/graphql
GraphQL Cop 1.1
Security Auditor for GraphQL
Dolev Farhi & Nick Aleks
Starting...
[HIGH] Introspection Query Enabled (Information Leakage)
[LOW] GraphQL Playground UI (Information Leakage)
[HIGH] Alias Overloading with 100+ aliases is allowed (Denial of Service)
[HIGH] Queries are allowed with 1000+ of the same repeated field (Denial of Service)
Test a website, dump to a parse-able JSON output, cURL reproduction command
Test a website using graphql-cop through a proxy (e.g. Burp Suite) with custom headers (e.g. Authorization):
$ python3 graphql-cop.py -t https://mywebsite.com/graphql --proxy --header '{"Authorization": "Bearer token_here"}'
GraphQL Cop 1.2
Security Auditor for GraphQL
Dolev Farhi & Nick Aleks
Starting...
[HIGH] Introspection Query Enabled (Information Leakage)
[LOW] GraphQL Playground UI (Information Leakage)
[HIGH] Alias Overloading with 100+ aliases is allowed (Denial of Service)
[HIGH] Queries are allowed with 1000+ of the same repeated field (Denial of Service)
请发表评论