Ecosyste.ms: Awesome

An open API service indexing awesome lists of open source software.

https://github.com/davinerd/gql_intruder

A plugin based GraphQL vulnerability assessment tool.
https://github.com/davinerd/gql_intruder

graphql graphql-security pentest-tool python3

Last synced: about 1 month ago
JSON representation

A plugin based GraphQL vulnerability assessment tool.

Host: GitHub
URL: https://github.com/davinerd/gql_intruder
Owner: davinerd
License: mit
Created: 2020-11-10T00:04:53.000Z (over 3 years ago)
Default Branch: master
Last Pushed: 2021-01-10T22:44:29.000Z (over 3 years ago)
Last Synced: 2024-02-02T06:43:14.868Z (4 months ago)
Topics: graphql, graphql-security, pentest-tool, python3
Language: Python
Homepage:
Size: 71.3 KB
Stars: 11
Watchers: 2
Forks: 0
Open Issues: 3
Metadata Files:
- Readme: README.md
- License: LICENSE

Lists

awesome-graphql - GraphQL Intruder - Plugin based python script to perform GraphQL vulnerability assessment. (Tools / Tools - Security)
awesome-graphql - GraphQL Intruder - Plugin based python script to perform GraphQL vulnerability assessment. (Tools / Tools - Security)

README

        # GraphQL Intruder

Plugin oriented tool to perform GraphQL endpoint vulnerability assessment.

# Usage

Plugins are listed in their own folders under `plugins` folder.

To list all the available plugins:

```

$ python3 brute.py

List of available plugins

Name: dump

Author: Davide Barbato

Description: Dump GraphQL schema via introspection.

Action: dump

Name: intruder

Author: Davide Barbato

Description: Simple bruteforce inspired by Burp Suite Intruder.

Action: intruder

For more info type: python3 brute.py 

```

# How to write a plugin

Writing a plugin is pretty simple:

1. Create a folder under `plugins`. The folder's name reflects the file and class name. Example:

```

plugins/

├── newplugin

│   ├── newplugin.py

│   ├── __init__.py

``` 

2. Write your plugin. Inside `newplugin.py`:

```

# Mandatory imports

import utils

import argparse

from plugin import Plugin

# Class name matches file and folder names

class Newplugin(Plugin):

  # This is mandatory

  CMD_NAME = "new_attack"

  # These are optional

  author = "Davide Barbato"

  description = "Super duper new attack plugin"

  

  def __init__(self):

    # The Plugin class' argparse already sets the URL as mandatory parameter.

    # If you need to add your own parser, do it and call self.build_argparse(your_new_parser)

    parser = self.build_argparse()

    args = parser.parse_args()

  # This function is mandatory.

  def attack(self):

    print("Attack!")

```

3. Add the module to `plugins/__init__.py`:

```

from plugins.intruder.intruder import Intruder

from plugins.dump.dump import Dump

from plugins.newplugin.newplugin import Newplugin

```

4. Enjoy