{"id":13739357,"url":"https://github.com/dolevf/graphql-cop","last_synced_at":"2025-05-15T18:03:32.013Z","repository":{"id":43022099,"uuid":"456079375","full_name":"dolevf/graphql-cop","owner":"dolevf","description":"Security Auditor Utility for GraphQL APIs","archived":false,"fork":false,"pushed_at":"2025-02-18T01:15:48.000Z","size":194,"stargazers_count":440,"open_issues_count":1,"forks_count":65,"subscribers_count":4,"default_branch":"main","last_synced_at":"2025-03-31T23:33:40.363Z","etag":null,"topics":["auditing","blue-team","graphql","hacking","hardening","penetration-testing","red-team","security"],"latest_commit_sha":null,"homepage":"","language":"Python","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/dolevf.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2022-02-06T07:00:42.000Z","updated_at":"2025-03-31T15:31:28.000Z","dependencies_parsed_at":"2024-01-03T06:15:44.077Z","dependency_job_id":"b910ccb7-110a-48fd-84d7-84ef73fabc47","html_url":"https://github.com/dolevf/graphql-cop","commit_stats":null,"previous_names":[],"tags_count":13,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/dolevf%2Fgraphql-cop","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/dolevf%2Fgraphql-cop/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/dolevf%2Fgraphql-cop/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/dolevf%2Fgraphql-cop/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/dolevf","download_url":"https://codeload.github.com/dolevf/graphql-cop/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":247755557,"owners_count":20990620,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["auditing","blue-team","graphql","hacking","hardening","penetration-testing","red-team","security"],"created_at":"2024-08-03T04:00:33.093Z","updated_at":"2025-04-08T00:34:57.750Z","avatar_url":"https://github.com/dolevf.png","language":"Python","funding_links":[],"categories":["Tools","Python","Defensive Security"],"sub_categories":["Tools - Security","Continous Security Testing"],"readme":"# GraphQL Cop - Security Audit Utility for GraphQL\n\n\u003cp align=\"center\"\u003e\n  \u003cimg src=\"https://github.com/dolevf/graphql-cop/blob/main/static/images/logo.png?raw=true\" width=\"500px\" alt=\"GraphQL Cop\"/\u003e\n\u003c/p\u003e\n\n## About\n\nGraphQL Cop is a small Python utility to run common security tests against GraphQL APIs. GraphQL Cop is perfect for running CI/CD checks in GraphQL. It is lightweight, and covers interesting security issues in GraphQL.\n\nGraphQL Cop allows you to reproduce the findings by providing cURL commands upon any identified vulnerabilities.\n\n## Requirements\n\n- Python3\n- Requests Library\n\n## Detections\n\n- Alias Overloading (DoS)\n- Batch Queries (DoS)\n- GET based Queries (CSRF)\n- POST based Queries using urlencoded payloads (CSRF)\n- GraphQL Tracing / Debug Modes (Info Leak)\n- Field Duplication (DoS)\n- Field Suggestions (Info Leak)\n- GraphiQL (Info Leak)\n- Introspection (Info Leak)\n- Directives Overloading (DoS)\n- Circular Query using Introspection (DoS)\n- Mutation support over GET methods (CSRF)\n\n## Installation\nBelow commands should be executed to install dependencies.\n```\npython3 -m venv path/to/venv\nsource path/to/venv/bin/activate\npython3 -m pip install -r requirements.txt\n```\nFirst command creates a virtual environment in the directory specified by `path/to/venv`.\nSecond command activates the virtual environment. \nFinal command installs all the Python packages listed in the requirements.txt.\n\n## Usage\n\n```\n$ python graphql-cop.py -h\n\nUsage: graphql-cop.py -t http://example.com -o json\n\nOptions:\n  -h, --help            show this help message and exit\n  -t URL, --target=URL  target url with the path - if a GraphQL path is not\n                        provided, GraphQL Cop will iterate through a series of\n                        common GraphQL paths\n  -H HEADER, --header=HEADER\n                        Append Header(s) to the request '{\"Authorization\":\n                        \"Bearer eyjt\"}' - Use multiple -H for additional\n                        Headers\n  -o FORMAT, --output=FORMAT\n                        json\n  -f, --force           Forces a scan when GraphQL cannot be detected\n  -d, --debug           Append a header with the test name for debugging\n  -x PROXY, --proxy=PROXY\n                        HTTP(S) proxy URL in the form\n                        http://user:pass@host:port\n  -w, --wordlist        Path to a list of custom GraphQL endpoints.\n  -v, --version         Print out the current version and exit.\n  -T, --tor             Enable Tor proxy\n```\n\nTest a website\n\n```\n$ python3 graphql-cop.py -t https://mywebsite.com/graphql\n\n                GraphQL Cop 1.1\n           Security Auditor for GraphQL\n            Dolev Farhi \u0026 Nick Aleks\n\nStarting...\n[HIGH] Introspection Query Enabled (Information Leakage)\n[LOW] GraphQL Playground UI (Information Leakage)\n[HIGH] Alias Overloading with 100+ aliases is allowed (Denial of Service)\n[HIGH] Queries are allowed with 1000+ of the same repeated field (Denial of Service)\n```\n\nTest a website, dump to a parse-able JSON output, cURL reproduction command\n\n```\npython3 graphql-cop.py -t https://mywebsite.com/graphql -o json\n\n {'curl_verify': 'curl -X POST -H \"User-Agent: graphql-cop/1.2\" -H '\n                 '\"Accept-Encoding: gzip, deflate\" -H \"Accept: */*\" -H '\n                 '\"Connection: keep-alive\" -H \"Content-Length: 33\" -H '\n                 '\"Content-Type: application/json\" -d \\'{\"query\": \"query { '\n                 '__typename }\"}\\' \\'http://localhost:5013/graphql\\'',\n  'description': 'Tracing is Enabled',\n  'impact': 'Information Leakage',\n  'result': False,\n  'severity': 'INFO',\n  'color': 'green',\n  'title': 'Trace Mode'},\n {'curl_verify': 'curl -X POST -H \"User-Agent: graphql-cop/1.2\" -H '\n                 '\"Accept-Encoding: gzip, deflate\" -H \"Accept: */*\" -H '\n                 '\"Connection: keep-alive\" -H \"Content-Length: 64\" -H '\n                 '\"Content-Type: application/json\" -d \\'{\"query\": \"query { '\n                 '__typename @aa@aa@aa@aa@aa@aa@aa@aa@aa@aa }\"}\\' '\n                 \"'http://localhost:5013/graphql'\",\n  'description': 'Multiple duplicated directives allowed in a query',\n  'impact': 'Denial of Service',\n  'result': True,\n  'severity': 'HIGH',\n  'color': 'red',\n  'title': 'Directive Overloading'}]\n```\n\nTest a website using `graphql-cop` through a proxy (e.g. Burp Suite listening on 127.0.0.1:8080) with custom headers (e.g. Authorization):\n\n```\n$ python3 graphql-cop.py -t https://mywebsite.com/graphql --proxy=http://127.0.0.1:8080 --header '{\"Authorization\": \"Bearer token_here\"}'\n\n                GraphQL Cop 1.2\n           Security Auditor for GraphQL\n            Dolev Farhi \u0026 Nick Aleks\n\nStarting...\n[HIGH] Introspection Query Enabled (Information Leakage)\n[LOW] GraphQL Playground UI (Information Leakage)\n[HIGH] Alias Overloading with 100+ aliases is allowed (Denial of Service)\n[HIGH] Queries are allowed with 1000+ of the same repeated field (Denial of Service)\n```\n\n## Docker Setup and Usage\n\n### Prerequisites\n- [Docker](https://www.docker.com/get-started) installed on your machine.\n\n### Building the Docker Image\n\n1. Clone the repository:\n```\ngit clone https://github.com/dolevf/graphql-cop.git\ncd graphql-cop\n```\n\n2. Build the Docker image:\n```\ndocker build -t graphql-cop:latest .\n```\n\n### Running the Docker Container\nYou can run the Docker container and pass arguments to the graphql-cop script as follows:\n\n```\ndocker run --rm -it graphql-cop:latest -t \u003cGRAPHQL_ENDPOINT\u003e -H '{\"\u003cHEADER_KEY\u003e\": \"\u003cHEADER_VALUE\u003e\"}'\n```\n\n### Example\nHere’s an example of running the container:\n```\ndocker run --rm -it graphql-cop:latest -t https://example.com/graphql -H '{\"Authorization\": \"Bearer abc123xyz\"}'\n```\n### Note\nFor a list of all available options, run:\n```\ndocker run --rm -it graphql-cop:latest --help\n```\n\nTroubleshooting\n1. File Not Found Error: If the container cannot find the script to execute, ensure the repository structure is intact and the Dockerfile is correctly set up.\n2. Dependencies Issue: If there are missing dependencies, verify that the requirements.txt file is complete.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fdolevf%2Fgraphql-cop","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fdolevf%2Fgraphql-cop","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fdolevf%2Fgraphql-cop/lists"}