Ethical Hacking News Hubb
Advertisement Banner
  • Home
  • News
  • Ethical Hackers
  • Contact
No Result
View All Result
  • Home
  • News
  • Ethical Hackers
  • Contact
No Result
View All Result
Wellnessnewshubb
No Result
View All Result
Home News

GraphQL Automated Security Testing Toolkit

admin by admin
September 10, 2022
in News




Graph Crawler is the most powerful automated testing toolkit for any GraphQL endpoint.

NEW: Can search for endpoints for you using Escape Technology’s powerful Graphinder tool. Just point it towards a domain and add the ‘-e’ option and Graphinder will do subdomain enumeration + search popular directories for GraphQL endpoints. After all this GraphCrawler will take over and work through each find.

It will run through and check if mutation is enabled, check for any sensitive queries available, such as users and files, and it will also test any easy queries it find to see if authentication is required.

If introspection is not enabled on the endpoint it will check if it is an Apollo Server and then can run Clairvoyance to brute force and grab the suggestions to try to build the schema ourselves. (See the Clairvoyance project for greater details on this).
It will then score the findings 1-10 with 10 being the most critical.

If you want to dig deeper into the schema you can also use graphql-path-enum to look for paths to certain types, like user IDs, emails, etc.

I hope this saves you as much time as it has for me

Usage

python graphCrawler.py -u https://test.com/graphql/api -o  -a ""

██████╗ ██████╗ █████╗ ██████╗ ██╗ ██╗ ██████╗██████╗ █████╗ ██╗ ██╗██╗ ███████╗██████╗
██╔════╝ ██╔══██╗██╔══██╗██╔══██╗██║ ██║██╔════╝██╔══██╗██╔══██╗██║ ██║██║ ██╔════╝██╔══██╗
██║ ███╗██████╔╝███████║██████╔╝███████║██║ ██████╔╝███████║██║ █╗ ██║██║ █████╗ ██████╔╝
██║ ██║██╔══██╗██╔══██║██╔═══╝ ██╔══██║██║ ██╔══██╗██╔══██║██║███╗██║██║ ██╔══╝ ██╔══██╗
╚██████╔╝██║ ██║██║ ██║██║ ██║ ██║╚██████╗██║ ██║██║ ██║╚███╔███╔╝███████╗███████╗██║ ██║
╚═════╝ ╚═╝ ╚═╝╚═╝ ╚═╝╚═╝ ╚═╝ ╚═╝ ╚═════╝╚═╝ ╚═╝╚═╝ ╚═╝ ╚══╝╚══╝ ╚══════╝╚══════╝╚═╝ ╚═╝

The output option is not required and by default it will output to schema.json

Example output:

Requirements

  • Python3
  • Docker
  • Install all Python dependencies with pip

Wordlist from google-10000-english

TODO

  • Add option for “full report” following the endpoint search where it will run clairvoyance and all other aspects of the toolkit on the endpoints found
  • Default to “simple scan” to just find endpoints when this feature is added
  • Way Future: help craft queries based of the shema provided





Source link

Tags: cybersecurityethical hackinghack androidhack apphack wordpresshacker newshackinghacking tools for windowskeyloggerkitkitploitpassword brute forcepenetration testingpentestpentest androidpentest linuxpentest toolkitpentest toolsspy tool kitspywaretools
Previous Post

Why is Monitoring Your Application Important?

Next Post

Iranian APT42 Launched Over 30 Espionage Attacks Against Activists and Dissidents

Next Post

Iranian APT42 Launched Over 30 Espionage Attacks Against Activists and Dissidents

Recommended

2022年版NordVPNプロモーションクーポン:今すぐ63%割引+3か月無料

3 months ago

Shellcode Loader, Developed Using Different Open-Source Libraries, That Demonstrates Different Execution Techniques

1 month ago

© 2022 Ethical Hacking News Hubb All rights reserved.

Use of these names, logos, and brands does not imply endorsement unless specified. By using this site, you agree to the Privacy Policy and Terms & Conditions.

Navigate Site

  • Home
  • News
  • Ethical Hackers
  • Contact

Newsletter Sign Up.

No Result
View All Result
  • Home
  • News
  • Ethical Hackers
  • Contact

© 2022 Ethical Hacking News Hubb All rights reserved.