GraphQL Cop: Security Audit Utility for GraphQL
GraphQL Cop – Security Audit Utility for GraphQL
GraphQL Cop is a small Python utility to run common security tests against GraphQL APIs. GraphQL Cop is perfect for running CI/CD checks in GraphQL. It is lightweight and covers interesting security issues in GraphQL.
GraphQL Cop allows you to reproduce the findings by providing cURL commands upon any identified vulnerabilities.
Detections
- Alias Overloading (DoS)
- Batch Queries (DoS)
- GET based Queries (CSRF)
- GraphQL Tracing / Debug Modes (Info Leak)
- Field Duplication (DoS)
- Field Suggestions (Info Leak)
- GraphiQL (Info Leak)
- Introspection (Info Leak)
- Directives Overloading (DoS)
- Circular Query using Introspection (DoS)
Install
Requirement
- Python3
- Requests Library
Download
git clone https://github.com/dolevf/graphql-cop.git
Use
Example
Test a website, dump to a parse-able JSON output, cURL reproduction command
Test a website using graphql-cop through a proxy (e.g. Burp Suite) with custom headers (e.g. Authorization):
Copyright (c) 2022 Dolev Farhi
Source: https://github.com/dolevf/