Ecosyste.ms: Awesome

An open API service indexing awesome lists of open source software.

Awesome Lists | Featured Topics | Projects

awesome-graphql-security

A curated list of awesome GraphQL Security frameworks, libraries, software and resources
https://github.com/Escape-Technologies/awesome-graphql-security

Last synced: about 7 hours ago
JSON representation

Defensive Security
- Authentication & Authorization
  - GraphQL Shield - GraphQL Shield helps you create a permission layer for your application.
  - GraphQL Shield - GraphQL Shield helps you create a permission layer for your application.
  - GraphQL Authz - GraphQL authorization layer
- Security Solutions
  - WAF for GraphQL - Web Application Firewall for GraphQL APIs.
- Continous Security Testing
  - GraphQL Cop - Utility to run common security tests against GraphQL APIs that can be run inside CI/CD.
  - Escape - GraphQL Security - Continuous GraphQL Security Testing for Developers. Find and fix GraphQL security flaws in the CI/CD.
- Middlewares
  - GraphQL Armor - Highly customizable security middleware for Apollo GraphQL and Envelop servers.
Neutral Security
- Clients and IDEs
  - Postman - Postman is an API platform for developers to design, build, test and iterate their APIs.
  - Insomnia - Design and test GraphQL APIs with ease.
  - Altair - GraphQL Client helps you debug GraphQL queries and implementations. Also distributed as a Browser Extension.
  - Hoppscotch - Online REST and GraphQL client
- Visualizers
  - GraphQL Visualizer - Visualize GraphQL schema.
  - Voyager - Represent any GraphQL API as an interactive graph.
  - GraphQL Inspector
  - GraphQL Rover - GraphQL schema viewer for endpoints with introspection
  - CraftQL - CLI GraphQL schema viewer, view schema diagram on the terminal or generate graphviz .dot format file
- Self-Discovery
  - GraphMan - Generate a complete Postman collection from a GraphQL endpoint. Allows instant and easy discovery and exploration of the API.
Resources
- Academy
  - API Security Academy - Hands-on learning about GraphQL. Each lesson is built around a WebContainer containing a live GraphQL application, so you'll not only understand why a vulnerability is risky, but also how to exploit it and, most importantly, how to fix it.
- Blogs
  - Access Control Best Practices for GraphQL with Authentication and Authorization - Confusion between authentication and authorization causes data leaks. Learn the difference and how to implement the right access control pattern in your GraphQL API.
  - Apollo Blog - Take your GraphQL skills to the next level with our free interactive GraphQL tutorials, videos, quizzes and code challenges.
  - The GraphQL Security Blog - Learn about GraphQL security, performance, testing and building production-ready APIs with the latest tools and best practices of the GraphQL ecosystem.
  - GraphQL security for decentralized applications (DApps): challenges and best practices - Learn about GraphQL security, performance, testing and building production-ready APIs with the latest tools and best practices of the GraphQL ecosystem.
  - GraphQL for Pentesters - Introduction to Basic Concepts, Security Considerations & Reconnaissance, Vulnerabilities and Attacks, Offensive Tools.
- Vulnerabilities
  - Aliasing Attacks - Addressing the Security concerns of GraphQL Aliases.
  - File Inclusion and Directory Traversal - File Inclusion and Directory Traversal in GraphQL.
  - GraphQL CSRF - Understanding and Dealing with Cross-Site Request Forgery Attacks (CSRF) in GraphQL.
  - GraphQL Cyclic Queries and Depth Limiting - The relational aspect of GraphQL can be a vulnerability exploited by running deep and cyclic queries causing your API to crawl under the load and crash.
  - HTTPS and GraphQL - How HTTPS can prevent Data Leaks.
  - SQL Injection - SQL Injections in GraphQL.
  - Verbose Errors Suggestions - When GraphQL Error Messages become a Security Issue.
  - What are Insecure Direct Object References (IDOR) in GraphQL, and how to fix them - When GraphQL Error Messages become a Security Issue.
Contributing
- Vulnerabilities
  - @escapetechHQ
🤝 Join our team
- Vulnerabilities
  - **Careers**
Offensive Security
- Discovery
  - Graphinder - Blazing fast GraphQL endpoints finder using subdomain enumeration, scripts analysis and bruteforce.
  - Graphw00f - GraphQL Server Engine Fingerprinting utility.
  - Clairvoyance - Patrial introspection fetcher when introspection is disabled.
  - GraphQL Path Enum
  - ShapeShifter - Schema extraction to JSON file with introspection.
  - Goctopus - a GraphQL endpoint discovery and fingerprinting tool.
- Exploitation
  - GraphCrawler - A GraphQL automated security toolkit. Grab introspection, search for sensitive queries, and then test authorization.
  - CrackQL - GraphQL password brute-force and fuzzing utility.
  - GraphQLMap - A scripting engine to interact with a GraphQL endpoint for pentesting purposes.
  - GraphQL Threat Matrix - GraphQL threat framework to research security gaps in GraphQL implementations.
  - InQL - A Burp Extension for GraphQL Security Testing.
  - BatchQL - GraphQL security auditing script with a focus on performing batch GraphQL queries and mutations.
  - GraphQL wordlist - the only GraphQL wordlist for pentesting you'll ever need. Operations, field names, type names. It was collected on more than 60k distinct GraphQL schemas.
- Vulnerable Applications
  - Damn Vulnerable GraphQL Application - Damn Vulnerable GraphQL Application is an intentionally vulnerable implementation of Facebook's GraphQL technology, to learn and practice GraphQL Security.

Programming Languages

Python 10 TypeScript 7 JavaScript 2 Go 1 Rust 1

Ecosyste.ms: Awesome

awesome-graphql-security

Defensive Security

Authentication & Authorization

Security Solutions

Continous Security Testing

Middlewares

Neutral Security

Clients and IDEs

Visualizers

Self-Discovery

Resources

Academy

Blogs

Vulnerabilities

Contributing

Vulnerabilities

🤝 Join our team

Vulnerabilities

Offensive Security

Discovery

Exploitation

Vulnerable Applications