# []()

CrackQL is a GraphQL password [brute-force]( “brute-force” ) and fuzzing utility.

CrackQL is a versatile GraphQL [penetration testing]( “penetration testing” ) tool that exploits poor rate-limit and cost analysis controls to brute-force [credentials]( “credentials” ) and fuzz operations.

## How it works?

CrackQL works by automatically batching a single GraphQL query or mutation into several alias operations. It determines the number of aliases to use based on the CSV input variables. After programmatically generating the batched GraphQL document, CrackQL then batches and sends the payload(s) to the target GraphQL API and parses the results and errors.

## Attack Use Cases

CrackQL can be used for a wide range of GraphQL attacks since it programmatically generates payloads based on a list of dynamic inputs.

### Defense Evasion

Unlike [Burp Intruder]( “Burp Intruder” ) which sends a request for each unique payload, CrackQL evades traditional API HTTP rate-limit monitoring defenses by using multiple alias queries to stuff large sets of credentials into single HTTP requests. To bypass query cost analysis defenses, CrackQL can be optimized into using a series of smaller batched operations (`-b`) as well as a time delay (`-D`).

### Password Spraying Brute-forcing

CrackQL is perfect against GraphQL deployments that leverage in-band GraphQL authentication operations (such as the [GraphQL Authentication Module]( “GraphQL Authentication Module” )). The below password spraying example works against [DVGA]( “DVGA” ) with the `sample-inputs/users-and-passwords.csv` dictionary.

_sample-queries/login.graphql_

mutation {
login(username: {{username|str}}, password: {{password|str}}) {
accessToken
}
}

### Two-factor Authentication OTP Bypass

It is possible to use CrackQL to bypass two-factor authentication by sending all OTP (One Time Password) tokens

_sample-queries/otp-bypass.graphql_

mutation {
twoFactor(otp: {{otp|int}}) {
accessToken
}
}

### User Account Enumeration

CrackQL can also be used for [enumeration]( “enumeration” ) attacks to discover valid user ids, usernames and email addresses

_sample-queries/enumeration.graphql_

query {
signup(email: {{email|str}}, password: {{password|str}}) {
user {
email
}
}
}

### Insecure Direct Object Reference

CrackQL could be used to iterate over a large number of potential unique identifiers in order to leak object information

_sample-queries/idor.graphql_

query {
profile(uuid: {{uuid|int}}) {
name
email
picture
}
}

### General Fuzzing

CrackQL can be used for general input fuzzing operations, such as sending potential SQLi and XSS payloads.

## Inputs

CrackQL will generate payloads based on input variables defined by a CSV file. CrackQL requires the CSV header to match the input name.

_sample-inputs/usernames_and_passwords.csv_

username, password
admin, admin
admin, password
admin, pass
admin, pass123
admin, password123
operator, operator
operator, password
operator, pass
operator, pass123
operator, password123

#### Valid input types

* `str`
* `int`
* `float`

## Installation

### Requirements

* Python3
* Requests
* GraphQL
* Jinja

### Clone Repository

`git clone [email protected]:nicholasaleks/CrackQL.git`

### Get Dependencies

`pip install -r requirements.txt`

### Run CrackQL

`python3 CrackQL.py -h`

Configuration

Use `config.py` to set HTTP cookies and headers if the endpoint requires authentication.

## Maintainers

* [Nick Aleks]( “Nick Aleks” )
* [Dolev Farhi]( “Dolev Farhi” )

## Mentions

**[Download CrackQL]( “Download CrackQL” )**Read More