{"id":13739538,"url":"https://github.com/nicholasaleks/CrackQL","last_synced_at":"2025-05-08T19:34:20.602Z","repository":{"id":41368660,"uuid":"509172159","full_name":"nicholasaleks/CrackQL","owner":"nicholasaleks","description":"CrackQL is a GraphQL password brute-force and fuzzing utility.","archived":false,"fork":false,"pushed_at":"2024-08-03T23:34:58.000Z","size":670,"stargazers_count":328,"open_issues_count":1,"forks_count":33,"subscribers_count":2,"default_branch":"master","last_synced_at":"2025-04-05T21:11:31.814Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":"","language":"Python","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"bsd-3-clause","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/nicholasaleks.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2022-06-30T17:24:35.000Z","updated_at":"2025-04-02T16:07:29.000Z","dependencies_parsed_at":"2024-04-17T11:36:33.075Z","dependency_job_id":"4c1c6c5d-d4f2-410e-a9fd-4777d3094b03","html_url":"https://github.com/nicholasaleks/CrackQL","commit_stats":null,"previous_names":[],"tags_count":1,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/nicholasaleks%2FCrackQL","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/nicholasaleks%2FCrackQL/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/nicholasaleks%2FCrackQL/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/nicholasaleks%2FCrackQL/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/nicholasaleks","download_url":"https://codeload.github.com/nicholasaleks/CrackQL/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":253135503,"owners_count":21859658,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2024-08-03T04:00:34.973Z","updated_at":"2025-05-08T19:34:20.222Z","avatar_url":"https://github.com/nicholasaleks.png","language":"Python","funding_links":[],"categories":["Weapons","Offensive Security"],"sub_categories":["Tools","Exploitation"],"readme":"CrackQL\n=======\nCrackQL is a GraphQL password brute-force and fuzzing utility.\n\n\u003ch1 align=\"center\"\u003e\n\t\u003cimg src=\"https://github.com/nicholasaleks/CrackQL/blob/master/static/CrackQL-Banner.png?raw=true\" alt=\"CrackQL\"/\u003e\n\t\u003cbr\u003e\n\u003c/h1\u003e\n\nCrackQL is a versatile GraphQL penetration testing tool that exploits poor rate-limit and cost analysis controls to brute-force credentials and fuzz operations.\n\n# Table of Contents\n* [How it works](#how-it-works)\n* [Attack Use Cases](#attack-use-cases)\n  * [Defense Evasion](#defense-evasion)\n  * [Password Spraying Brute-forcing](#password-spraying-brute-forcing)\n  * [Two-factor Authentication OTP Bypass](#two-factor-Authentication-otp-bypass)\n  * [User Account Enumeration](#user-account-enumeration)\n  * [Insecure Direct Object Reference](#insecure-direct-object-reference)\n  * [General Fuzzing](#general-fuzzing)\n* [Inputs](#inputs)\n* [Installation](#installation)\n* [Configurations](#configuration)\n* [Maintainers](#maintainers)\n* [Mentions](#mentions)\n\n## How it works?\n\nCrackQL works by automatically batching a single GraphQL query or mutation into several alias operations. It determines the number of aliases to use based on the CSV input variables. After programmatically generating the batched GraphQL document, CrackQL then batches and sends the payload(s) to the target GraphQL API and parses the results and errors.\n\n## Attack Use Cases\n\nCrackQL can be used for a wide range of GraphQL attacks since it programmatically generates payloads based on a list of dynamic inputs.\n\n### Defense Evasion\n\nUnlike [Burp Intruder](https://portswigger.net/burp/documentation/desktop/tools/intruder) which sends a request for each unique payload, CrackQL evades traditional API HTTP rate-limit monitoring defenses by using multiple alias queries to stuff large sets of credentials into single HTTP requests. To bypass query cost analysis defenses, CrackQL can be optimized into using a series of smaller batched operations (`-b`) as well as a time delay (`-D`).\n\n\n### Password Spraying Brute-forcing\n\nCrackQL is perfect against GraphQL deployments that leverage in-band GraphQL authentication operations (such as the [GraphQL Authentication Module](https://www.graphql-modules.com/docs#authentication-module)). The below password spraying example works against [DVGA](https://github.com/dolevf/Damn-Vulnerable-GraphQL-Application) with the `sample-inputs/users-and-passwords.csv` dictionary.\n\n[sample-queries/login.graphql](sample-queries/login.graphql)\n\u003cpre\u003e\nmutation {\n  login(username: \u003cb\u003e{{username|str}}\u003c/b\u003e, password: \u003cb\u003e{{password|str}}\u003c/b\u003e) {\n    accessToken\n  }\n}\n\u003c/pre\u003e\n\n### Two-factor Authentication OTP Bypass\n\nIt is possible to use CrackQL to bypass two-factor authentication by sending all OTP (One Time Password) tokens\n\n[sample-queries/otp-bypass.graphql](sample-queries/otp-bypass.graphql)\n\u003cpre\u003e\nmutation {\n  twoFactor(otp: \u003cb\u003e{{otp|int}}\u003c/b\u003e) {\n    accessToken\n  }\n}\n\u003c/pre\u003e\n\n### User Account Enumeration\n\nCrackQL can also be used for enumeration attacks to discover valid user ids, usernames and email addresses\n\n[sample-queries/enumeration.graphql](sample-queries/enumeration.graphql)\n\u003cpre\u003e\nquery {\n  signup(email: \u003cb\u003e{{email|str}}\u003c/b\u003e, password: \u003cb\u003e{{password|str}}\u003c/b\u003e) {\n    user {\n      email\n    }\n  }\n}\n\u003c/pre\u003e\n\n### Insecure Direct Object Reference\n\nCrackQL could be used to iterate over a large number of potential unique identifiers in order to leak object information\n\n[sample-queries/idor.graphql](sample-queries/idor.graphql)\n\u003cpre\u003e\nquery {\n  profile(uuid: \u003cb\u003e{{uuid|int}}\u003c/b\u003e) {\n    name\n    email\n    picture\n  }\n}\n\u003c/pre\u003e\n\n### General Fuzzing\n\nCrackQL can be used for general input fuzzing operations, such as sending potential SQLi and XSS payloads.\n\n## Inputs\n\nCrackQL will generate payloads based on input variables defined by a CSV file. CrackQL requires the CSV header to match the input name.\n\n[sample-inputs/usernames_and_passwords.csv](sample-inputs/usernames_and_passwords.csv)\n\u003cpre\u003e\n\u003cb\u003eusername\u003c/b\u003e, \u003cb\u003epassword\u003c/b\u003e\nadmin, admin\nadmin, password\nadmin, pass\nadmin, pass123\nadmin, password123\noperator, operator\noperator, password\noperator, pass\noperator, pass123\noperator, password123\n\u003c/pre\u003e\n\n#### Valid input types\n- `str`\n- `int`\n- `float`\n\n## Installation\n\n### Requirements\n- Python3\n- Requests\n- GraphQL\n- Jinja\n\n### Clone Repository\n```\ngit clone git@github.com:nicholasaleks/CrackQL.git\n```\n\n### Get Dependencies\n`pip install -r requirements.txt`\n\n### Run CrackQL\n`python3 CrackQL.py -h`\n\n```\nUsage: python3 CrackQL.py -t http://example.com/graphql -q sample-queries/login.graphql -i sample-inputs/usernames_and_passwords.csv\n\nOptions:\n  -h, --help            show this help message and exit\n  -t URL, --target=URL  Target url with a path to the GraphQL endpoint\n  -q QUERY, --query=QUERY\n                        Input query or mutation operation with variable\n                        payload markers\n  -i INPUT_CSV, --input-csv=INPUT_CSV\n                        Path to a csv list of arguments (i.e. usernames,\n                        emails, ids, passwords, otp_tokens, etc.)\n  -d DELIMITER, --delimiter=DELIMITER\n                        CSV input delimiter (default: \",\")\n  -o OUTPUT_DIRECTORY, --output-directory=OUTPUT_DIRECTORY\n                        Output directory to store results (default:\n                        ./results/[domain]_[uuid]/\n  -b BATCH_SIZE, --batch-size=BATCH_SIZE\n                        Number of batch operations per GraphQL document\n                        request (default: 100)\n  -D DELAY, --delay=DELAY\n                        Time delay in seconds between batch requests (default:\n                        0)\n  --verbose             Prints out verbose messaging\n  -v, --version         Print out the current version and exit.\n```\n\n## Configuration\nUse `config.py` to set HTTP cookies, headers or proxies if the endpoint requires authentication.\n\n## Maintainers\n* [Nick Aleks](https://github.com/nicholasaleks)\n* [Dolev Farhi](https://github.com/dolevf)\n\n## Mentions\n* [Kitploit](https://www.kitploit.com/2022/07/crackql-graphql-password-brute-force.html)\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fnicholasaleks%2FCrackQL","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fnicholasaleks%2FCrackQL","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fnicholasaleks%2FCrackQL/lists"}