GraphQL Cop – Security Auditor Utility For GraphQL APIs

Main / GraphQL Cop – Security Auditor Utility For GraphQL APIs

Discription

[![](https://blogger.googleusercontent.com/img/a/AVvXsEj_FDT8o9CyGrYIk9p1mG9e-oIZ2b4mEqATkPiChKSPxFtwwhl-olSHufKqcINIYVTz9Rx_S8eLoJ0WPlJ3UCQsOZhd7PoNMExjSd45c8D4dfBZdB0YyV2U-KNIT93DR3sPrCZTGmBDIGjyUVvEWS4KrnQ0Oe8Xp94b7bIgs1DdxVkEfjhAwb4Pj9Vo=w640-h396)]()

GraphQL Cop is a small Python utility to run common security tests against [GraphQL]( “GraphQL” ) APIs.

# Requirements

* Python3
* Requests Library

# Detections

* Alias Overloading (DoS)
* Batch Queries (DoS)
* GET based Queries (CSRF)
* GraphQL [Tracing]( “Tracing” ) / Debug Modes (Info Leak)
* Field Duplication (DoS)
* Field Suggestions (Info Leak)
* GraphiQL (Info Leak)
* Introspection (Info Leak)
* Directives Overloading (DoS)

# Usage

CSRF (GET)’: {‘severity’: ‘LOW’, ‘impact’: ‘Possible CSRF’, ‘description’: ‘HTTP GET method supported (maybe CSRF)’}, ‘Alias Overloading’: {‘severity’: ‘HIGH’, ‘impact’: ‘Denial of Service’, ‘description’: ‘Alias Overloading with 100+ aliases is allowed’}, ‘Field Duplication’: {‘severity’: ‘HIGH’, ‘impact’: ‘Denial of Service’, ‘description’: ‘Queries are allowed with 1000+ of the same repeated field’}, ‘Directive Overloading’: {‘severity’: ‘HIGH’, ‘impact’: ‘Denial of Service’, ‘description’: ‘Multiple duplicated directives allowed in a query’}}”>

python3 main.py -t https://mywebsite.com/graphql

GraphQL Cop 1.0
Security Auditor for GraphQL
Dolev Farhi

Starting…
[HIGH] Introspection Query Enabled (Information Leakage)
[LOW] GraphQL Playground UI (Information Leakage)
[HIGH] Alias Overloading with 100+ aliases is allowed (Denial of Service)
[HIGH] Queries are allowed with 1000+ of the same repeated field (Denial of Service)

python3 main.py -t https://mywebsite.com/graphql -o json

{‘Field Suggestions’: {‘severity’: ‘LOW’, ‘impact’: ‘Information Leakage’, ‘description’: ‘Field Suggestions are Enabled’}, ‘Introspection’: {‘severity’: ‘HIGH’, ‘impact’: ‘Information Leakage’, ‘description’: ‘Introspection Query Enabled’}, ‘Possible CSRF (GET)’: {‘severity’: ‘LOW’, ‘impact’: ‘Possible CSRF’, ‘description’: ‘HTTP GET method supported (maybe CSRF)’}, ‘Alias Overloading’: {‘severity’: ‘HIGH’, ‘impact’: ‘Denial of Service’, ‘description’: ‘Alias Overloading with 100+ aliases is allowed’}, ‘Field Duplication’: {‘severity’: ‘ HIGH’, ‘impact’: ‘Denial of Service’, ‘description’: ‘Queries are allowed with 1000+ of the same repeated field’}, ‘Directive Overloading’: {‘severity’: ‘HIGH’, ‘impact’: ‘Denial of Service’, ‘description’: ‘Multiple duplicated directives allowed in a query’}}

**[Download Graphql-Cop]( “Download Graphql-Cop” )**Read More

References

Back to Main

Subscribe for the latest news: