https://github.com/nicholasaleks/graphql-threat-matrix

GraphQL threat framework used by security professionals to research security gaps in GraphQL implementations
https://github.com/nicholasaleks/graphql-threat-matrix

Last synced: about 2 months ago
JSON representation

GraphQL threat framework used by security professionals to research security gaps in GraphQL implementations

• Host: GitHub
• URL: https://github.com/nicholasaleks/graphql-threat-matrix
• Owner: nicholasaleks
• Created: 2022-04-29T01:25:49.000Z (over 2 years ago)
• Default Branch: master
• Last Pushed: 2023-11-25T14:37:35.000Z (about 1 year ago)
• Last Synced: 2024-11-15T09:43:49.597Z (about 2 months ago)
• Homepage:
• Size: 272 KB
• Stars: 287
• Watchers: 9
• Forks: 28
• Open Issues: 8
• Metadata Files:
  • Readme: README.md

Awesome Lists containing this project

• awesome-graphql-security - GraphQL Threat Matrix - GraphQL threat framework to research security gaps in GraphQL implementations. (Offensive Security / Exploitation)
• awesome-api-security - graphql-threat-matrix

README

        


 

 






 GraphQL Threat Matrix



## Why graphql-threat-matrix?

[graphql-threat-matrix](https://github.com/nicholasaleks/graphql-threat-matrix) was built for bug bounty hunters, security researchers and hackers to assist with uncovering vulnerabilities across multiple GraphQL implementations.

The differences in how GraphQL implementations interpret and conform to the GraphQL specification may lead to security gaps and unique attack vectors. By analyzing and comparing the factors that drive the security risks across different implementations the GraphQL ecosystem can make safer deployment decisions as well as collectively advance the security maturity of all implementations.



Legend


✅  - Enabled by Default


⚠️  - Disabled by Default


❌  - No Support



    Implementation

    Validations

    Field Suggestions

    Query Depth limit

    Query Cost Analysis

    Automatic Persisted Queries

    Introspection

    Debug Mode

    Batch Requests

    wp-graphql

    38

    ✅

    ⚠️

    ❌

    ❌

    ⚠️

    ⚠️

    ✅

    graphql-php

    37

    ✅

    ⚠️

    ⚠️

    ❌

    ✅

    ⚠️

    ⚠️

    graphql-api-for-wp

    37

    ⚠️

    ❌

    ❌

    ✅

    ✅

    ⚠️

    ✅

    Apollo

    34

    ✅

    ⚠️

    ⚠️

    ✅

    ✅

    ✅

    ✅

    graphql-yoga

    34

    ✅

    ⚠️

    ❌

    ❌

    ⚠️

    ⚠️

    ⚠️

    graphene

    34

    ✅

    ❌

    ❌

    ❌

    ✅

    ❌

    ⚠️

    Ariadne

    34

    ✅

    ⚠️

    ⚠️

    ❌

    ✅

    ⚠️

    ❌

    Strawberry

    34

    ✅

    ⚠️

    ❌

    ❌

    ✅

    ❌

    ❌

    graphql-dotnet

    29

    ✅

    ⚠️

    ⚠️

    ❌

    ✅

    ❌

    ⚠️

    graphql-ruby

    28

    ✅

    ❌

    ⚠️

    ⚠️

    ✅

    ❌

    ✅

    Sangria

    27

    ✅

    ⚠️

    ⚠️

    ❌

    ✅

    ❌

    ⚠️

    Tartiflette

    26

    ❌

    ❌

    ❌

    ❌

    ✅

    ❌

    ❌

    graphql-java

    26

    ✅

    ⚠️

    ⚠️

    ❌

    ✅

    ❌

    ⚠️

    gqlgen

    25

    ✅

    ❌

    ⚠️

    ⚠️

    ✅

    ⚠️

    ⚠️

    Dgraph

    25

    ✅

    ❌

    ❌

    ⚠️

    ✅

    ❌

    ❌

    graphql-go

    24

    ✅

    ❌

    ❌

    ❌

    ✅

    ⚠️

    ❌

    juniper

    24

    ❌

    ❌

    ❌

    ❌

    ✅

    ❌

    ⚠️

    Diana.jl

    10

    ✅

    ❌

    ❌

    ❌

    ✅

    ❌

    ❌

    gql-dart/gql

    9

    ✅

    ❌

    ❌

    ❌

    ✅

    ❌

    ❌

    Agoo

    1

    ❌

    ❌

    ❌

    ❌

    ✅

    ⚠️

    ❌

 Lighthouse

 1

		✅

		⚠️

		⚠️

		⚠️

		✅

		⚠️

		✅

## For Penetration Testers

Use [graphw00f](https://github.com/dolevf/graphw00f) to fingerprint a target GraphQL API and determine the backend implementation.

## Want to provide a submission (or correction)?

Interested in contributing? Found a discrepancy? Please create a GitHub issue or PR with your details.

## Contributors & Maintainers

- [Nick Aleks](https://github.com/nicholasaleks)

- [Dolev Farhi](https://github.com/dolevf)