Sec-88
  • 🧑Whoami
  • 🕸️Web-AppSec
    • Features Abuse
      • 2FA
      • Ban Feature
      • CAPTCHA
      • Commenting
      • Contact us
      • File-Upload
      • Inviting Feature
      • Messaging Features
      • Money-Related Features
      • Newsletter
      • Profile - Settings
      • Registration
      • Reset Password
      • Review
      • Rich Editor/Text
      • Social Sharing
      • Billing-Shipping Address Management
      • Integrations - Webhooks
      • API Key Management
    • Reconnaissance
      • Attacking Organizations with big scopes
    • Subdomain Enumeration
    • Fingerprinting
    • Dorking
    • XSS-HTML Injection
    • Improper Authentication
      • JWT Security
    • OAUTH Misconfigurations
      • OAuth 2.0 Basics
      • OAUTH Misconfigurations
    • Auth0 Misconfigurations
    • Broken Access Control
      • Insecure Direct Object References (IDOR)
      • 403 Bypass
    • Broken Link Injection
    • Command Injection
    • CORS
    • CRLF
    • CSRF
    • Host Header Attacks
    • HTTP request smuggling
    • JSON Request Testing
    • LFI
      • LFI to RCE
    • No Rate Limit
    • Parameters Manual Testing
    • Open Redirect
    • Registration & Takeover Bugs
    • Remote Code Execution (RCE)
    • Session Fixation
    • SQL Injection
      • SQL To RCE
    • SSRF
    • SSTI
    • Subdomain Takeover
    • Web Caching Vulnerabilities
    • WebSockets
    • XXE
      • XXE to RCE
    • Cookie Based Attacks
    • CMS
      • AEM [Adobe CMS]
    • XSSI (Cross Site Script Inclusion)
    • NoSQL injection
    • Local VS Remote Session Fixation
    • Protection
      • Security Mechanisms for Websites
      • Cookie Flags
      • SameSite Cookie Restrictions
      • Same-origin policy (SOP)
      • CSP
    • Hacking IIS Applications
    • Dependency Confusion
    • Attacking Secondary Context
    • Hacking Web Sockets
    • IDN Homograph Attack
    • DNS Rebinding Attack
    • LLM Hacking Checklist
    • Bypass URL Filtration
    • Cross-Site Path Traversal (CSPT)
    • PostMessage Security
    • Prototype Pollution
      • Client-Side Prototype Pollution
      • Server-Side prototype pollution
    • Tools-Extensions-Bookmarks
    • WAF Bypassing Techniques
    • SSL/TLS Certificate Lifecycle
    • Serialization in .NET
    • Client-Side Attacks
      • JavaScript Analysis
    • Bug Bounty Platforms/Programs
  • ✉️API-Sec
    • GraphQL API Security Testing
      • The Basics
      • GraphQL Communication
      • Setting Up a Vulnerable GraphQL Server
      • GraphQL Hacking Tools
      • GraphQL Attack Surface
      • RECONNAISSANCE
      • GraphQL DOS
      • Information Disclosure
      • AUTHENTICATION AND AUTHORIZATION BYPASSES
      • Injection Vulnerabilities in GraphQL
      • REQUEST FORGERY AND HIJACKING
      • VULNERABILITIES, REPORTS AND EXPLOITS
      • GraphQL Hacking Checklist
    • API Recon
    • API Token Attacks
    • Broken Object Level Authorization (BOLA)
    • Broken Authentication
    • Evasive Maneuvers
    • Improper Assets Management
    • Mass Assignment Attacks
    • SSRF
    • Injection Vulnerabilities
    • Excessive Data Exposure
    • OWASP API TOP 10 MindMap
    • Scanning APIs with OWASP ZAP
  • 📱Android-AppSec
    • Setup Android App Pentesting environment on Arch
    • Setup Android App Pentesting environment on Mac M4
    • Setup Android Pentesting Environment on Debian Linux
    • Android App Fundamentals
      • Android Architecture
      • Android Security Model
      • Android App Components
        • Intents
        • Pending Intents
    • Android App Components Security Cheatsheet
    • Android App Pentesting Checklist
    • How To Get APK file for application
    • ADB Commands
    • APK structure
    • Android Permissions
    • Exported Activity Hacking
    • BroadcastReceiver Hacking
    • Content Provider Hacking
    • Signing the APK
    • Reverse Engineering APK
    • Deep Links Hacking
    • Drozer Cheat Sheet
    • SMALI
      • SMALI Cheat Sheet
      • Smali Code Patching Guide
    • Intent Redirection Vulnerability
    • Janus Vulnerability (CVE-2017-13156)
    • Task Hijacking
    • Hacking Labs
      • Injured Android
      • Hacking the VulnWebView Lab
      • Hacking InsecureBankv2 App
    • Frida Cheat Sheet
  • 📶Network-Sec
    • Networking Fundamentals
    • Open Ports Security Testing
    • Vulnerability Scanning
    • Client Side Attacks
    • Port Redirection and Tunneling
    • Password Attacks
    • Privilege Escalation [PrevEsc]
      • Linux Privilege Escalation
    • Buffer Overflow (BOF)
      • VulnServer
      • Sync Breez Enterprize
      • Crashed CTF
      • BOF for Linux
    • AV Evasion
    • Post Exploitation
      • File Transfer
      • Maintaining Access
      • Pivoting
      • Clean Up
    • Active Directory
      • Basic AD Pentesting
  • 💻Desktop AppSec
    • Thin Client vs. Thick Client
  • ☁️Cloud Sec
    • Salesforce Hacking
      • Basics
      • Salesforce SAAS Apps Hacking
    • Firebase
    • S3 Buckets Misconfigurations
  • 👨‍💻Programming
    • HTML
    • JavaScript (JS)
      • window.location object
    • Python
      • Python Tips
      • Set
        • SetMethods
    • JAVA
      • Java Essentials
      • Java Essentials Code Notes
      • Java OOP1
      • JAVA OOP Principles
        • Inheritance
        • Method Overriding
        • Abstract Class
        • Interface
        • polymorphism
        • Encapsulation
        • Composition
      • Java OOP Challenges
      • Exception Handling
    • Go
      • Go Syntax Tutorial in one file
      • Methods and Interfaces
      • Go Slices
      • Go Maps
      • Go Functions
      • Concurrency
      • Read Files
      • Write Files
      • Package
        • How to make personal Package
        • regexp Packages
        • Json
        • bufio
        • Time
      • Signals-Exit
      • Unit Testing
  • 🖥️Operating Systems
    • Linux
      • Linux Commands
      • Tools
      • Linux File System
      • Bash Scripting guide
      • tmux
      • Git
      • Install Go tools from private repositories using GitHub PAT
    • VPS
    • Burp Suite
  • ✍️Write-Ups
    • Hunting Methodology
    • API BAC leads to PII Data Disclosure
    • Misconfigured OATUH leads to Pre-Account Takeover
    • Automating Bug Bounty with GitHub Actions
    • From Recon to Reward: My Bug Bounty Methodology when Hunting on Public Bug Bounty Programs
    • Exploring Subdomains: From Enumeration to Takeover Victory
    • 0-Click Account Takeover via Insecure Password Reset Feature
    • How a Simple Click Can Lead to Account Takeover: An OAuth Insecure Implementation Vulnerability
    • The Power Of IDOR even if it is unpredictable IDs
    • Unlocking the Weak Spot: Exploiting Insecure Password Reset Tokens
    • AI Under Siege: Discovering and Exploiting Vulnerabilities
    • Inside the Classroom: How We Hacked Our Way Past Authorization on a Leading EdTech Platform
    • How We Secured Our Client’s Platform Against Interaction-Free Account Thefts
    • Unchecked Privileges: The Hidden Risk of Role Escalation in Collaborative Platforms
    • Decoding Server Behavior: The Key to Mass Account Takeover
    • Exploiting JSON-Based CSRF: The Hidden Threat in Profile Management
    • How We Turned a Medium XSS into a High Bounty by Bypassing HttpOnly Cookie
Powered by GitBook
On this page
  • Burp Suite
  • Clairvoyance
  • InQL
  • Graphw00f
  • BatchQL
  • Nmap
  • Commix
  • graphql-path-enum
  • EyeWitness
  • GraphQL Cop
  • CrackQL

Was this helpful?

Edit on GitHub
  1. API-Sec
  2. GraphQL API Security Testing

GraphQL Hacking Tools

PreviousSetting Up a Vulnerable GraphQL ServerNextGraphQL Attack Surface

Last updated 5 months ago

Was this helpful?

Burp Suite

Burp Suite, developed by PortSwigger, is a powerful tool for web application security testing. It acts as a proxy between your browser and the target application, allowing you to intercept, modify, and replay HTTP requests. In this GraphQL security lab, we will use Burp Suite to manually inspect and modify GraphQL queries before they are sent to the target server.

Most recent versions of Kali come with Burp Suite pre-installed. To check if it’s available, open a terminal and run the following command:

sudo apt install burpsuite -y

Next, launch Burp Suite by searching for it in the Kali Applications menu. When it first starts, accept the Terms and Conditions, then select Temporary Project and click Next. For the configuration file, choose Use Burp Defaults and click Start Burp.

To ensure Burp Suite can proxy HTTP traffic, click on Proxy > Intercept > Open Browser. In the opened browser, navigate to http://localhost:5013/graphiql. This will generate a GET request to DVGA, which Burp Suite should intercept.

Note: Burp Suite’s embedded browser automatically configures proxy settings, making it easy to intercept traffic without additional setup.

Burp Suite will highlight the Intercept tab (usually orange) when it intercepts a request. You’ll see the GET request from the browser, and you can modify it before it is sent to the server. Click Intercept is On to release the request and allow it to continue.

We’ve now verified Burp Suite is working! For a deeper dive into this tool, consult its official documentation at .

Clairvoyance

Clairvoyance is a Python-based reconnaissance tool for GraphQL APIs. It helps in discovering GraphQL schema information, especially when introspection queries are disabled by the server. This is particularly useful when dealing with production environments that restrict introspection.

Install Clairvoyance by running the following commands:

cd ~
git clone https://github.com/nikitastupin/clairvoyance.git
cd clairvoyance

To check that Clairvoyance is installed correctly, use the following command:

python3 -m clairvoyance -h

Clairvoyance works by exploiting field suggestions in GraphQL, enabling it to reconstruct schemas by querying the server with a dictionary of common words. This process will be explained in detail in Chapter 6.

InQL

InQL is another powerful tool developed by Doyensec for introspection-based GraphQL security testing. It allows for querying GraphQL schemas and exporting schema data in various formats, which is crucial for understanding how the GraphQL API operates.

To install InQL, run the following:

cd ~
git clone https://github.com/doyensec/inql.git
cd inql
sudo python3 setup.py install

After installation, verify the tool works by running:

inql -h

InQL can also be used as a Burp Suite extension called Introspection GraphQL Scanner, available on the BApp Store. We will use the command-line version for our exercises.

Graphw00f

Graphw00f is a tool for fingerprinting GraphQL server implementations. It analyzes responses from GraphQL APIs to identify the backend technologies, which is useful when tailoring penetration tests for specific platforms.

To install Graphw00f, run the following commands:

cd ~
git clone https://github.com/dolevf/graphw00f.git
cd graphw00f

Check if it’s working by running:

python3 main.py --help

BatchQL

BatchQL is a Python script that focuses on identifying flaws in GraphQL servers related to batching (sending multiple queries in one HTTP request), including issues like DoS, CSRF, and information disclosure vulnerabilities.

To install BatchQL, run:

cd ~
git clone https://github.com/assetnote/batchql.git

To verify that BatchQL works, use the following command:

cd batchql
python3 batch.py -h

Nmap

Nmap is a versatile tool used for network discovery and vulnerability scanning. Kali Linux comes pre-installed with Nmap, but to ensure it’s available, run:

sudo apt install nmap -y

Next, download the Nmap GraphQL introspection script and place it in the Nmap scripts folder:

cd ~
git clone https://github.com/dolevf/nmap-graphql-introspection-nse.git
cd nmap-graphql-introspection-nse
sudo cp graphql-introspection.nse /usr/share/nmap/scripts

Verify it works with:

nmap --script-help graphql-introspection.nse

Commix

Commix is an open-source tool designed for command injection exploitation. It automates finding and exploiting command injection vulnerabilities in web applications, including GraphQL APIs.

To install Commix, run:

sudo apt install commix -y
commix -h

graphql-path-enum

This Rust-based tool helps find paths to specific data within a GraphQL schema, which is useful for identifying authorization flaws in GraphQL queries.

Install graphql-path-enum by running the following:

cd ~
wget "https://gitlab.com/dee-see/graphql-path-enum/-/jobs/artifacts/v1.1/raw/target/release/graphql-path-enum?job=build-linux" -O graphql-path-enum
chmod u+x graphql-path-enum

Check if it works with:

./graphql-path-enum -h

EyeWitness

EyeWitness captures screenshots of web applications, helping penetration testers quickly visualize and understand what’s running on a server. It uses a headless browser to load dynamic content.

Install EyeWitness by running:

sudo apt install eyewitness -y
eyewitness -h

GraphQL Cop

GraphQL Cop is a Python tool developed for auditing GraphQL APIs, focusing on vulnerabilities like information disclosure and DoS attacks.

To install GraphQL Cop, run:

sudo apt install python3-pip -y
git clone https://github.com/dolevf/graphql-cop.git
cd graphql-cop
pip3 install -r requirements.txt
python3 graphql-cop.py -h

CrackQL

CrackQL is a brute-forcing tool that uses GraphQL language features to optimize attacks against GraphQL APIs. We will use CrackQL for dictionary-based attacks in Chapter 7.

To install CrackQL, run:

git clone https://github.com/nicholasaleks/CrackQL.git
cd CrackQL
pip3 install -r requirements.txt
python3 CrackQL.py -h
✉️
PortSwigger’s Burp Suite Documentation