GraphQL Hacking Tools

Burp Suite

Burp Suite, developed by PortSwigger, is a powerful tool for web application security testing. It acts as a proxy between your browser and the target application, allowing you to intercept, modify, and replay HTTP requests. In this GraphQL security lab, we will use Burp Suite to manually inspect and modify GraphQL queries before they are sent to the target server.

Most recent versions of Kali come with Burp Suite pre-installed. To check if it’s available, open a terminal and run the following command:

sudo apt install burpsuite -y

Next, launch Burp Suite by searching for it in the Kali Applications menu. When it first starts, accept the Terms and Conditions, then select Temporary Project and click Next. For the configuration file, choose Use Burp Defaults and click Start Burp.

To ensure Burp Suite can proxy HTTP traffic, click on Proxy > Intercept > Open Browser. In the opened browser, navigate to http://localhost:5013/graphiql. This will generate a GET request to DVGA, which Burp Suite should intercept.

Note: Burp Suite’s embedded browser automatically configures proxy settings, making it easy to intercept traffic without additional setup.

Burp Suite will highlight the Intercept tab (usually orange) when it intercepts a request. You’ll see the GET request from the browser, and you can modify it before it is sent to the server. Click Intercept is On to release the request and allow it to continue.

We’ve now verified Burp Suite is working! For a deeper dive into this tool, consult its official documentation at PortSwigger’s Burp Suite Documentation.

Clairvoyance

Clairvoyance is a Python-based reconnaissance tool for GraphQL APIs. It helps in discovering GraphQL schema information, especially when introspection queries are disabled by the server. This is particularly useful when dealing with production environments that restrict introspection.

Install Clairvoyance by running the following commands:

cd ~
git clone https://github.com/nikitastupin/clairvoyance.git
cd clairvoyance

To check that Clairvoyance is installed correctly, use the following command:

python3 -m clairvoyance -h

Clairvoyance works by exploiting field suggestions in GraphQL, enabling it to reconstruct schemas by querying the server with a dictionary of common words. This process will be explained in detail in Chapter 6.

InQL

InQL is another powerful tool developed by Doyensec for introspection-based GraphQL security testing. It allows for querying GraphQL schemas and exporting schema data in various formats, which is crucial for understanding how the GraphQL API operates.

To install InQL, run the following:

cd ~
git clone https://github.com/doyensec/inql.git
cd inql
sudo python3 setup.py install

After installation, verify the tool works by running:

inql -h

InQL can also be used as a Burp Suite extension called Introspection GraphQL Scanner, available on the BApp Store. We will use the command-line version for our exercises.

Graphw00f

Graphw00f is a tool for fingerprinting GraphQL server implementations. It analyzes responses from GraphQL APIs to identify the backend technologies, which is useful when tailoring penetration tests for specific platforms.

To install Graphw00f, run the following commands:

cd ~
git clone https://github.com/dolevf/graphw00f.git
cd graphw00f

Check if it’s working by running:

python3 main.py --help

BatchQL

BatchQL is a Python script that focuses on identifying flaws in GraphQL servers related to batching (sending multiple queries in one HTTP request), including issues like DoS, CSRF, and information disclosure vulnerabilities.

To install BatchQL, run:

cd ~
git clone https://github.com/assetnote/batchql.git

To verify that BatchQL works, use the following command:

cd batchql
python3 batch.py -h

Nmap

Nmap is a versatile tool used for network discovery and vulnerability scanning. Kali Linux comes pre-installed with Nmap, but to ensure it’s available, run:

sudo apt install nmap -y

Next, download the Nmap GraphQL introspection script and place it in the Nmap scripts folder:

cd ~
git clone https://github.com/dolevf/nmap-graphql-introspection-nse.git
cd nmap-graphql-introspection-nse
sudo cp graphql-introspection.nse /usr/share/nmap/scripts

Verify it works with:

nmap --script-help graphql-introspection.nse

Commix

Commix is an open-source tool designed for command injection exploitation. It automates finding and exploiting command injection vulnerabilities in web applications, including GraphQL APIs.

To install Commix, run:

sudo apt install commix -y
commix -h

graphql-path-enum

This Rust-based tool helps find paths to specific data within a GraphQL schema, which is useful for identifying authorization flaws in GraphQL queries.

Install graphql-path-enum by running the following:

cd ~
wget "https://gitlab.com/dee-see/graphql-path-enum/-/jobs/artifacts/v1.1/raw/target/release/graphql-path-enum?job=build-linux" -O graphql-path-enum
chmod u+x graphql-path-enum

Check if it works with:

./graphql-path-enum -h

EyeWitness

EyeWitness captures screenshots of web applications, helping penetration testers quickly visualize and understand what’s running on a server. It uses a headless browser to load dynamic content.

Install EyeWitness by running:

sudo apt install eyewitness -y
eyewitness -h

GraphQL Cop

GraphQL Cop is a Python tool developed for auditing GraphQL APIs, focusing on vulnerabilities like information disclosure and DoS attacks.

To install GraphQL Cop, run:

sudo apt install python3-pip -y
git clone https://github.com/dolevf/graphql-cop.git
cd graphql-cop
pip3 install -r requirements.txt
python3 graphql-cop.py -h

CrackQL

CrackQL is a brute-forcing tool that uses GraphQL language features to optimize attacks against GraphQL APIs. We will use CrackQL for dictionary-based attacks in Chapter 7.

To install CrackQL, run:

git clone https://github.com/nicholasaleks/CrackQL.git
cd CrackQL
pip3 install -r requirements.txt
python3 CrackQL.py -h
PreviousSetting Up a Vulnerable GraphQL ServerNextGraphQL Attack Surface

Last updated