GraphQL Cop v1.12 releases: Security Audit Utility for GraphQL

GraphQL Cop – Security Audit Utility for GraphQL

GraphQL Cop is a small Python utility to run common security tests against GraphQL APIs. GraphQL Cop is perfect for running CI/CD checks in GraphQL. It is lightweight and covers interesting security issues in GraphQL.

GraphQL Cop allows you to reproduce the findings by providing cURL commands upon any identified vulnerabilities.

Detections

  • Alias Overloading (DoS)
  • Batch Queries (DoS)
  • GET based Queries (CSRF)
  • GraphQL Tracing / Debug Modes (Info Leak)
  • Field Duplication (DoS)
  • Field Suggestions (Info Leak)
  • GraphiQL (Info Leak)
  • Introspection (Info Leak)
  • Directives Overloading (DoS)
  • Circular Query using Introspection (DoS)

Changelog v1.12

Added

  • Add a -f option to force a scan when the endpoint cannot be identified

Fixed

  • JSON output format was incorrect, fixed by @mjfwebb

Install

Requirement

  • Python3
  • Requests Library

Download

git clone https://github.com/dolevf/graphql-cop.git

Use

$ python graphql-cop.py -h

Usage: graphql-cop.py -t http://example.com -o json

Options:
-h, –help show this help message and exit
-t URL, –target=URL target url with the path
-H HEADER, –header=HEADER
Append Header to the request ‘{“Authorization”:
“Bearer eyjt”}’
-o OUTPUT_JSON, –output=OUTPUT_JSON
Output results to stdout (JSON)
-x, –proxy Sends the request through http://127.0.0.1:8080 proxy
-v, –version Print out the current version and exit

Example

Test a website, dump to a parse-able JSON output, cURL reproduction command

Test a website using graphql-cop through a proxy (e.g. Burp Suite) with custom headers (e.g. Authorization):

 

Copyright (c) 2022 Dolev Farhi

Source: https://github.com/dolevf/