Ecosyste.ms: Awesome

An open API service indexing awesome lists of open source software.

Awesome Lists | Featured Topics | Projects

https://github.com/nof0rte/graphqshell

A GraphQL pentesting scripting engine
https://github.com/nof0rte/graphqshell

graphql pentest-tool

Last synced: about 1 month ago
JSON representation

A GraphQL pentesting scripting engine

Host: GitHub
URL: https://github.com/nof0rte/graphqshell
Owner: NoF0rte
Created: 2022-10-12T21:43:45.000Z (over 2 years ago)
Default Branch: main
Last Pushed: 2023-08-31T18:25:05.000Z (over 1 year ago)
Last Synced: 2024-10-22T16:58:40.089Z (3 months ago)
Topics: graphql, pentest-tool
Language: Go
Homepage:
Size: 265 KB
Stars: 0
Watchers: 1
Forks: 0
Open Issues: 0
Metadata Files:
- Readme: README.md

Awesome Lists containing this project

README

        # GraphQShell

GraphQShell is a GraphQL pentesting scripting engine. Using the Go scripting engine [Tengo](https://github.com/d5/tengo) and custom Tengo modules, GraphQShell enables you to interact with GraphQL endpoints with ease. Either by writing a script or using the REPL, you can use GraphQShell to more easily fuzz GraphQL queries and mutations.

## Getting Started

### Install

GraphQShell requires Go v1.19+ to install

```

go install github.com/NoF0rte/graphqshell/cmd/graphqshell@latest

```

```

$ graphqshell --help

A GraphQL pentesting scripting engine. Run a script and/or run the REPL.

Usage:

  graphqshell [path/to/script] [flags]

Examples:

Run a script:

	graphqshell my-script.tengo

Run the REPL:

	graphqshell

Run a script then break to the REPL:

	graphqshell my-script.tengo -r

Flags:

  -h, --help   help for graphqshell

  -r, --repl   Run REPL after script runs

```

### REPL

By default, GraphQShell runs a Tengo REPL. This allows you to run code and get immediate feedback.

```

$ graphqshell

 _____                      _      _____  _____  _            _  _

|  __ \                    | |    |  _  |/  ___|| |          | || |

| |  \/ _ __   __ _  _ __  | |__  | | | |\ `--. | |__    ___ | || |

| | __ | '__| / _` || '_ \ | '_ \ | | | | `--. \| '_ \  / _ \| || |

| |_\ \| |   | (_| || |_) || | | |\ \/' //\__/ /| | | ||  __/| || |

 \____/|_|    \__,_|| .__/ |_| |_| \_/\_\\____/ |_| |_| \___||_||_|

                    | |

                    |_|

» 

```

To get started, let's first create a GraphQL client

```

» client := graphql.new_client("")

```

### Examples

## Scripting

GraphQShell uses the Go scripting engine [Tengo](https://github.com/d5/tengo) and the custom Tengo modules in [tengomod](https://github.com/analog-substance/tengomod). Refer to their documentation for general usage and examples.

### Module - "graphql"

```golang

graphql := import("graphql")

```

**Note:** This module is auto imported when using the REPL

#### Functions

## Roadmap

- [ ] Fuzzing values via Go templates

- [ ] Tab completions (maybe, could more effort than it is worth)

- [ ] Smarter/configurable default argument values

- [ ] GraphQL variables

- [ ] PostJSON/GraphQL should return a result object

- [ ] More intuitive Tengo functionality

  - [ ] Settings arg default values