GraphQL Cop v1.12 releases: Security Audit Utility for GraphQL
GraphQL Cop – Security Audit Utility for GraphQL
GraphQL Cop is a small Python utility to run common security tests against GraphQL APIs. GraphQL Cop is perfect for running CI/CD checks in GraphQL. It is lightweight and covers interesting security issues in GraphQL.
GraphQL Cop allows you to reproduce the findings by providing cURL commands upon any identified vulnerabilities.
Detections
- Alias Overloading (DoS)
- Batch Queries (DoS)
- GET based Queries (CSRF)
- GraphQL Tracing / Debug Modes (Info Leak)
- Field Duplication (DoS)
- Field Suggestions (Info Leak)
- GraphiQL (Info Leak)
- Introspection (Info Leak)
- Directives Overloading (DoS)
- Circular Query using Introspection (DoS)
Changelog v1.12
Added
- Add a
-f
option to force a scan when the endpoint cannot be identified
Fixed
- JSON output format was incorrect, fixed by @mjfwebb
Install
Requirement
- Python3
- Requests Library
Download
git clone https://github.com/dolevf/graphql-cop.git
Use
$ python graphql-cop.py -h
Usage: graphql-cop.py -t http://example.com -o json
Options:
-h, –help show this help message and exit
-t URL, –target=URL target url with the path
-H HEADER, –header=HEADER
Append Header to the request ‘{“Authorization”:
“Bearer eyjt”}’
-o OUTPUT_JSON, –output=OUTPUT_JSON
Output results to stdout (JSON)
-x, –proxy Sends the request through http://127.0.0.1:8080 proxy
-v, –version Print out the current version and exit
Example
Test a website, dump to a parse-able JSON output, cURL reproduction command
Test a website using graphql-cop through a proxy (e.g. Burp Suite) with custom headers (e.g. Authorization):
Copyright (c) 2022 Dolev Farhi
Source: https://github.com/dolevf/