About graphw00f
graphw00f is a GraphQL fingerprinting tool for GQL nodes, which can send both benign and malicious query requests to help researchers identify and determine the GraphQL engine behind the target application.
graphw00f can provide immediate security defense strategies for each technology and whether the related security protection technologies are enabled or disabled by default to a wide range of researchers. Carefully constructed query requests cause different GraphQL servers to respond differently to queries, mutations, and subscriptions, enabling us to fingerprint the backend engine and distinguish different GraphQL implementations.
Security Detection
The current version of graphw00f will attempt to detect and identify the following GraphQL engines:
Graphene - Python
Ariadne - Python
Apollo - TypeScript
graphql-go - Go
gqlgen - Go
WPGraphQL - PHP
GraphQL API for WordPress - PHP
Ruby - GraphQL
graphql-php - PHP
Hasura - Haskell
HyperGraphQL - Java
graphql-java - Java
Juniper - Rust
Sangria - Scala
Flutter - Dart
Diana.jl - Julia
Strawberry - Python
Tartiflette - Python
GraphQL Technology Defense Matrix
Each fingerprint technology (such as Graphene, Ariadne, etc.) has a related document (such as Graphene), which covers the specific security defense mechanisms supported by the technology, so as to better understand how to implement attacks.
| Field Suggestions | Query Depth Limit | Query Cost Analysis | Automatic Persisted Queries | Introspection | Debug Mode | Batch Requests |-------------------|-------------------|---------------------|-----------------------------|--------------------|------------|-----------------| | On by Default | No Support | No Support | No Support | Enabled by Default | N/A | Off by Default
Tool Dependencies
python3
requests
Tool Installation & Running
Firstly, we need to use the following command to clone the project source code locally:
git clone git@github.com:dolevf/graphw00f.git
Next, run graphw00f using the following command and view the tool's help information:
python3 main.py -h
Usage: main.py -t http://example.com/graphql -f Options: -h, --help show this help message and exit -r, --noredirect Do not follow redirections given by 3xx responses -t URL, --target=URL target url with the path -f, --fingerprint fingerprint mode -d, --detect detect mode -T TIMEOUT, --timeout=TIMEOUT Request timeout in seconds -o OUTPUT_FILE, --output-file=OUTPUT_FILE Output results to a file (CSV) -l, --list List all GraphQL technologies that graphw00f can detect -v, --version Print out the current version and exit.
Tool usage
Identify GraphQL fingerprint
In this example, we will identify the specific location of a GraphQL node:
python3 main.py -f -t https://demo.hypergraphql.org:8484/graphql +-------------------+ | graphw00f +-------------------+ *** *** ** *** ** ** +--------------+ +--------------+ | Node X | | Node Y | +--------------+ +--------------+ *** *** ** ** ** ** +------------+ | Node Z | +------------+ graphw00f - v1.0.4 The fingerprinting tool for GraphQL Dolev Farhi <dolev@lethalbit.com> [*] Checking if GraphQL is available at https://demo.hypergraphql.org:8484/graphql... [*] Found GraphQL... [*] Attempting to fingerprint... [*] Discovered GraphQL Engine: (HyperGraphQL) [!] Attack Surface Matrix: https://github.com/dolevf/graphw00f/blob/main/docs/hypergraphql.md [!] Technologies: Java [!] Homepage: https://www.hypergraphql.org [*] Completed.
Detect and identify GraphQL fingerprints
In this example, graphw00f can detect the active status of GraphQL and execute the fingerprinting process:
python3 main.py -f -d -t http://localhost:5000 +-------------------+ | graphw00f +-------------------+ *** *** ** *** ** ** +--------------+ +--------------+ | Node X | | Node Y | +--------------+ +--------------+ *** *** ** ** ** ** +------------+ | Node Z | +------------+ graphw00f - v1.0.4 The fingerprinting tool for GraphQL Dolev Farhi <dolev@lethalbit.com> [*] Checking http://dvga.example.local:5000/graphql [!] Found GraphQL at http://dvga.example.local:5000/graphql [*] Attempting to fingerprint... [*] Discovered GraphQL Engine: (Graphene) [!] Attack Surface Matrix: https://github.com/dolevf/graphw00f/blob/main/docs/graphene.md [!] Technologies: Python [!] Homepage: https://graphene-python.org [*] Completed.
Project address
graphw00f:【GitHub Gateway】
Reference materials
https://github.com/dolevf/Damn-Vulnerable-GraphQL-Application/
CenoCipher: a powerful and easy-to-use encryption and steganography tool
GoldDigger: a powerful file sensitive information search tool
2. Accidental exposure of private GraphQL fields
Instaloctrack: A powerful OSINT open-source intelligence tool for Instagram.
评论已关闭