{"id":15116085,"url":"https://github.com/omar2535/GraphQLer","last_synced_at":"2025-09-27T21:31:46.028Z","repository":{"id":45393572,"uuid":"421538126","full_name":"omar2535/GraphQLer","owner":"omar2535","description":"🔍A cutting edge context aware GraphQL API fuzzing tool!","archived":false,"fork":false,"pushed_at":"2024-12-24T00:30:34.000Z","size":25194,"stargazers_count":129,"open_issues_count":8,"forks_count":7,"subscribers_count":4,"default_branch":"main","last_synced_at":"2025-01-09T07:58:37.593Z","etag":null,"topics":["api","api-testing-framework","appsec","automated-testing","cybersecurity","fuzzing","graphql","pentesting"],"latest_commit_sha":null,"homepage":"","language":"Python","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/omar2535.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":"docs/CONTRIBUTING.md","funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":"CITATION.cff","codeowners":null,"security":"SECURITY.md","support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2021-10-26T18:21:26.000Z","updated_at":"2025-01-02T16:04:42.000Z","dependencies_parsed_at":"2023-01-25T13:45:16.543Z","dependency_job_id":"67f1a6de-eb4e-4d0b-b3ad-db0b6b07fbea","html_url":"https://github.com/omar2535/GraphQLer","commit_stats":null,"previous_names":[],"tags_count":14,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/omar2535%2FGraphQLer","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/omar2535%2FGraphQLer/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/omar2535%2FGraphQLer/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/omar2535%2FGraphQLer/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/omar2535","download_url":"https://codeload.github.com/omar2535/GraphQLer/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":234460505,"owners_count":18836837,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["api","api-testing-framework","appsec","automated-testing","cybersecurity","fuzzing","graphql","pentesting"],"created_at":"2024-09-26T01:44:09.060Z","updated_at":"2025-09-27T21:31:46.022Z","avatar_url":"https://github.com/omar2535.png","language":"Python","readme":"\u003cp align=\"center\"\u003e\n  \u003cimg src=\"https://raw.githubusercontent.com/omar2535/GraphQLer/main/docs/images/logo.png\" /\u003e\n  \u003cp align=\"center\"\u003eThe \u003cstrong\u003eonly\u003c/strong\u003e dependency-aware GraphQL API testing tool\u003c/p\u003e\n\u003c/p\u003e\n\n\u003cp align=\"center\"\u003e\n\u003ca href=\"https://hub.docker.com/repository/docker/omar2535/graphqler\"\u003e\u003cimg src=\"https://img.shields.io/docker/image-size/omar2535/graphqler/latest?style=flat\u0026logo=docker\"\u003e\u003c/a\u003e\n\u003ca href=\"https://pypi.org/project/GraphQLer/\"\u003e\u003cimg src=\"https://img.shields.io/pypi/v/GraphQLer?style=flat\u0026logo=pypi\"/\u003e\u003c/a\u003e\n\u003ca href=\"https://www.python.org/downloads/\" target=\"_blank\"\u003e\u003cimg src=\"https://img.shields.io/badge/python-3.12-blue\" alt=\"python3.12\"/\u003e\u003c/a\u003e\n\u003c/br\u003e\n\u003ca href=\"https://github.com/omar2535/GraphQLer/actions/workflows/lint.yml\" target=\"_blank\"\u003e\u003cimg src=\"https://github.com/omar2535/GraphQLer/actions/workflows/lint.yml/badge.svg\" alt=\"lint\" /\u003e\u003c/a\u003e\n\u003ca href=\"https://github.com/omar2535/GraphQLer/actions/workflows/unit_tests.yml\" target=\"_blank\"\u003e\u003cimg src=\"https://github.com/omar2535/GraphQLer/actions/workflows/unit_tests.yml/badge.svg?branch=main\" alt=\"unit_test_status\" /\u003e\u003c/a\u003e\n\u003ca href=\"https://github.com/omar2535/GraphQLer/actions/workflows/integration_tests.yml\" target=\"_blank\"\u003e\u003cimg src=\"https://github.com/omar2535/GraphQLer/actions/workflows/integration_tests.yml/badge.svg?branch=main\" alt=\"integration_test_status\" /\u003e\u003c/a\u003e\n\u003c/br\u003e\n\u003ca href=\"https://arxiv.org/pdf/2504.13358\"\u003e\u003cimg src=\"https://img.shields.io/badge/cs.CR-arXiv%3A2504.13358-B31B1B.svg\"\u003e\u003c/a\u003e\n\u003ca href=\"https://github.com/omar2535/GraphQLer/blob/main/LICENSE\"\u003e\u003cimg src=\"https://img.shields.io/badge/License-MIT-yellow.svg\"\u003e\u003c/a\u003e\n\u003c/p\u003e\n\nGraphQLer is a cutting-edge tool designed to dynamically test GraphQL APIs with a focus on awareness. It offers a range of sophisticated features that streamline the testing process and ensure robust analysis of GraphQL APIs such as being able to automatically read a schema and run tests against an API using the schema. Furthermore, GraphQLer is aware of dependencies between objects queries and mutations which is then used to perform security tests against APIs.\n\n\u003cdiv align=\"center\"\u003e\n  \u003cvideo src='https://github.com/user-attachments/assets/0c0595a7-d0d9-4554-998a-98d6ebd1fbc2' controls=\"controls\"\u003e\u003c/video\u003e\n\u003c/div\u003e\n\n## Key features\n\n- **Request generation**: Automatically generate valid queries and mutations based on the schema *(supports fragments, unions, interfaces, and enums based on the latest [GraphQL-spec](https://spec.graphql.org/October2021/#sec-ID))*\n- **Dependency awareness**: Run queries and mutations based on their natural dependencies\n- **Resource tracking**: Keep track of any objects seen in the API for future use and reconnaisance\n- **Error correction**: Try and fix requests so that the GraphQL API accepts them\n- **Statistics collection**: Shows your results in a easy-to-read file\n- **Ease of use**: All you need is the endpoint and the authentication token if needed\n- **Customizability**: Change the configuration file to suit your needs, proxy requests through Burp or ZAP if you want\n\n## Getting started\n\nQuick installation can be done either with [pip](https://pypi.org/project/GraphQLer/):\n\n```sh\npip install GraphQLer\npython -m graphqler --help\n```\n\nor [docker](https://hub.docker.com/repository/docker/omar2535/graphqler/general):\n\n```sh\ndocker pull omar2535/graphqler:latest\ndocker run --rm omar2535/graphqler --help\n```\n\nFor a more in-depth guide, check out the [installation guide](./docs/installation.md).\n\n## Usage\n\n```sh\n❯ python -m graphqler --help\nusage: __main__.py [-h] --url URL [--path PATH] [--config CONFIG] --mode {compile,fuzz,idor,run,single} [--auth AUTH] [--proxy PROXY] [--node NODE] [--plugins-path PLUGINS_PATH] [--version]\n\noptions:\n  -h, --help            show this help message and exit\n  --url URL             remote host URL\n  --path PATH           directory location for files to be saved-to/used-from. Defaults to graphqler-output\n  --config CONFIG       configuration file for the program\n  --mode {compile,fuzz,idor,run,single}\n                        mode to run the program in\n  --auth AUTH           authentication token Example: 'Bearer arandompat-abcdefgh'\n  --proxy PROXY         proxy to use for requests (ie. http://127.0.0.1:8080)\n  --node NODE           node to run (only used in single mode)\n  --plugins-path PLUGINS_PATH\n                        path to plugins directory\n  --version             display versionn\n```\n\nBelow will be the steps on how you can use this program to test your GraphQL API. The usage is split into 2 phases, **compilation** and **fuzzing**.\n\n- **Compilation mode**:This mode is responsible for running an *introspection query* against the given API and generating the dependency graphh\n- **Fuzzing mode**: This mode is responsible for traversing the dependency graph and sending test requests to the API\n\nA third mode is also included for ease of use, called **run** mode. this mode compiles both the compilation and fuzzing mode into one single command.\n\nA mode in development right now is known as the **idor** mode, which will look for re-used objects that are accessible using another access token. This is in trial right now and requires the user to have run the *compile* and *fuzzing* mode first.\n\n### Compile mode\n\n```sh\npython -m graphqler --mode compile --url \u003cURL\u003e --path \u003cSAVE_PATH\u003e\n```\n\nAfter compiling, you can view the compiled results in the `\u003cSAVE_PATH\u003e/compiled`. Additionally, a graph will have been generated called `dependency_graph.png` for inspection. Any `UNKNOWNS` in the compiled `.yaml` files can be manually marked; however, if not marked the fuzzer will still run them but just without using a dependency chain.\n\n### Fuzz mode\n\n```sh\npython -m graphqler --mode fuzz --url \u003cURL\u003e --path \u003cSAVE_PATH\u003e\n```\n\nWhile fuzzing, statistics related to the GraphQL API and any ongoing request counts are logged in the console. Any request return codes are written to `\u003cSAVE_PATH\u003e/stats.txt`. All logs during fuzzing are kept in `\u003cSAVE_PATH\u003e/logs/fuzzer.log`. The log file will tell you exactly which requests are sent to which endpoints, and what the response was. This can be used for further result analysis. A copy of the objects bucket can be found in `objects_bucket.pkl` as well.\n\n### IDOR Checking mode\n\n```sh\npython -m graphqler --mode idor --url \u003cURL\u003e --path \u003cSAVE_PATH\u003e\n```\n\nThe [insecure direct object reference (IDOR)](https://portswigger.net/web-security/access-control/idor) mode can be run after **compile** mode and **fuzz** mode is complete. It requires the `objects_bucket.pkl` file to already exist as it uses the objects bucket from a previous run to see if information found/created from a previous run is also reference-able in a new run.\n\n### Run mode\n\nRuns both the Compile mode and Fuzz mode\n\n```sh\npython -m graphqler --mode run --url \u003cURL\u003e --path \u003cSAVE_PATH\u003e\n```\n\n### Single mode\n\nRuns a single node (make sure it exists in the list of queries or mutations)\n\n```sh\npython -m graphqler --url \u003cURL\u003e --path \u003cSAVE_PATH\u003e --config \u003cCUSTOM_CONFIG\u003e\u003e --proxy \u003cCUSTOM_PROXY\u003e --mode single --node \u003cNODE_NAME\u003e\n```\n\n## Advanced features\n\nThere are also varaibles that can be modified with the `--config` flag as a TOML file (see `/examples/config.toml` for an example). These correspond to specific features implemented in GraphQLer, and can be tuned to your liking.\n\n| Variable Name | Variable Description | Variable Type | Default |\n|---------------|---------------------|---------------|---------------|\n| MAX_LEVENSHTEIN_THRESHOLD | The levenshtein distance between objects and object IDs | Integer | 20 |\n| MAX_OBJECT_CYCLES | Max number of times the same object should be materialized in the same query/mutation | Integer | 3 |\n| MAX_OUTUPT_SELECTOR_DEPTH | Max depth the query/mutation's output should be expanded (such as the case of infinitely recursive selectors) | Integer | 3 |\n| USE_OBJECTS_BUCKET | Whether or not to store object IDs for future use | Boolean | True |\n| USE_DEPENDENCY_GRAPH | Whether or not to use the dependency-aware feature | Boolean | True |\n| ALLOW_DELETION_OF_OBJECTS | Whether or not to allow deletions from the objects bucket | Boolean | False |\n| MAX_FUZZING_ITERATIONS | Maximum number of fuzzing payloads to run on a node | Integer | 5 |\n| MAX_TIME | The maximum time to run in seconds | Integer | 3600 |\n| TIME_BETWEEN_REQUESTS | Max time to wait between requests in seconds | Integer | 0.001 |\n| DEBUG | Debug mode | Boolean | False |\n| Custom Headers | Custom headers to be sent along with each request | Object | `Accept = \"application/json\"` |\n| SKIP_MAXIMAL_PAYLOADS | Whether or not to send a payload with all the possible outputs | Boolean | False |\n| SKIP_DOS_ATTACKS | Whether or not to skip DOS attacks(defaults to true to not DOS the service) | Boolean | True |\n| SKIP_INJECTION_ATTACKS | Whether or not to skip injection attacks | Boolean | False |\n| SKIP_MISC_ATTACKS | Whether or not to skip miscillaneous attacks | Boolean | False |\n| SKIP_NODES | Nodes to skip (query or mutation names) | List | [] |\n\n### Plugins\n\nYou can also implement your own plugins for custom authentication (ie. short token lifetimes). See more in the [docs](https://github.com/omar2535/GraphQLer/tree/main/docs).\n","funding_links":[],"categories":["Python","Application Security","Tools"],"sub_categories":["API Fuzzing","Tools - Security"],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fomar2535%2FGraphQLer","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fomar2535%2FGraphQLer","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fomar2535%2FGraphQLer/lists"}