GraphQL Cop: Security Audit Utility for GraphQL

by ddos ·

GraphQL Cop – Security Audit Utility for GraphQL

GraphQL Cop is a small Python utility to run common security tests against GraphQL APIs. GraphQL Cop is perfect for running CI/CD checks in GraphQL. It is lightweight and covers interesting security issues in GraphQL.

GraphQL Cop allows you to reproduce the findings by providing cURL commands upon any identified vulnerabilities.

Detections

  • Alias Overloading (DoS)
  • Batch Queries (DoS)
  • GET based Queries (CSRF)
  • GraphQL Tracing / Debug Modes (Info Leak)
  • Field Duplication (DoS)
  • Field Suggestions (Info Leak)
  • GraphiQL (Info Leak)
  • Introspection (Info Leak)
  • Directives Overloading (DoS)
  • Circular Query using Introspection (DoS)

Install

Requirement

  • Python3
  • Requests Library

Download

git clone https://github.com/dolevf/graphql-cop.git

Use

GraphQL Security Audit Utility

Example

Test a website, dump to a parse-able JSON output, cURL reproduction command

Test a website using graphql-cop through a proxy (e.g. Burp Suite) with custom headers (e.g. Authorization):

 

Copyright (c) 2022 Dolev Farhi

Source: https://github.com/dolevf/

Tags: GraphQL