Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
kitploitKitPloitKITPLOIT:5186564711220665372
HistoryMar 08, 2022 - 11:30 a.m.

GraphQL Cop - Security Auditor Utility For GraphQL APIs

2022-03-0811:30:00
www.kitploit.com
25
python
security
graphql
apis
alias overloading
batch queries
get based queries
tracing
debug modes
field duplication
field suggestions
graphiql
introspection
directives overloading
JSON

GraphQL Cop is a small Python utility to run common security tests against GraphQL APIs.

Requirements

  • Python3
  • Requests Library

Detections

  • Alias Overloading (DoS)
  • Batch Queries (DoS)
  • GET based Queries (CSRF)
  • GraphQL Tracing / Debug Modes (Info Leak)
  • Field Duplication (DoS)
  • Field Suggestions (Info Leak)
  • GraphiQL (Info Leak)
  • Introspection (Info Leak)
  • Directives Overloading (DoS)

Usage

CSRF (GET)': {‘severity’: ‘LOW’, ‘impact’: ‘Possible CSRF’, ‘description’: ‘HTTP GET method supported (maybe CSRF)’}, ‘Alias Overloading’: {‘severity’: ‘HIGH’, ‘impact’: ‘Denial of Service’, ‘description’: ‘Alias Overloading with 100+ aliases is allowed’}, ‘Field Duplication’: {‘severity’: ‘HIGH’, ‘impact’: ‘Denial of Service’, ‘description’: ‘Queries are allowed with 1000+ of the same repeated field’}, ‘Directive Overloading’: {‘severity’: ‘HIGH’, ‘impact’: ‘Denial of Service’, ‘description’: ‘Multiple duplicated directives allowed in a query’}}">

python3 main.py -t https://mywebsite.com/graphql  
  
                GraphQL Cop 1.0  
           Security    Auditor for GraphQL  
         Dolev Farhi <[email protected]>  
    
Starting...  
[HIGH] Introspection Query Enabled (Information Leakage)  
[LOW] GraphQL Playground UI (Information Leakage)  
[HIGH] Alias Overloading with 100+ aliases is allowed (Denial of Service)  
[HIGH] Queries are allowed with 1000+ of the same repeated field (Denial of Service)  
  
python3 main.py -t https://mywebsite.com/graphql -o json  
  
{'Field Suggestions': {'severity': 'LOW', 'impact': 'Information Leakage', 'description': 'Field Suggestions are Enabled'}, 'Introspection': {'severity': 'HIGH', 'impact': 'Information Leakage', 'description': 'Introspection Query Enabled'}, 'Possible CSRF (GET)': {'severity': 'LOW', 'impact': 'Possible CSRF', 'description': 'HTTP GET method supported (maybe CSRF)'}, 'Alias Overloading': {'severity': 'HIGH', 'impact': 'Denial of Service', 'description': 'Alias Overloading with 100+ aliases is allowed'}, 'Field Duplication': {'severity': '   HIGH', 'impact': 'Denial of Service', 'description': 'Queries are allowed with 1000+ of the same repeated field'}, 'Directive Overloading': {'severity': 'HIGH', 'impact': 'Denial of Service', 'description': 'Multiple duplicated directives allowed in a query'}}

Download Graphql-Cop

JSON