Ecosyste.ms: Awesome

An open API service indexing awesome lists of open source software.

Awesome Lists | Featured Topics | Projects

https://github.com/phor3nsic/graphqlBrute

Last synced: 21 days ago
JSON representation

Host: GitHub
URL: https://github.com/phor3nsic/graphqlBrute
Owner: phor3nsic
Created: 2020-10-23T12:42:44.000Z (about 4 years ago)
Default Branch: master
Last Pushed: 2024-07-31T17:55:00.000Z (4 months ago)
Last Synced: 2024-08-05T17:45:10.549Z (4 months ago)
Language: Python
Size: 282 KB
Stars: 6
Watchers: 1
Forks: 2
Open Issues: 0
Metadata Files:
- Readme: README.md

Awesome Lists containing this project

awesome-hacking-lists - phor3nsic/graphqlBrute - (Python)

README

        


    

    




###

This Python script aims to explore and identify functions in a GraphQL API where introspection is disabled, but the “did you mean…” suggestion feature is enabled. The “did you mean…” feature is a common characteristic in GraphQL APIs that suggests possible function names when a query with an incorrect name is submitted.

#### Key Features:

1.	Test Query Submission: Sends GraphQL queries with slightly modified or incorrect function names to the API.

2.	Response Analysis: Analyzes API responses to detect suggestions provided by the “did you mean…” feature.

3.	Valid Function Logging: Stores the correct function names discovered based on the API suggestions.

4.	Automation and Efficiency: Utilizes brute force techniques to cover a large number of possible variations in a reasonable time, maximizing the chance of discovering valid functions in the API.

#### Benefits:

•	Hidden Function Discovery: Useful for pentesters and security researchers aiming to uncover undocumented or protected functions in GraphQL APIs.

•	Automation: Reduces manual effort needed to test and validate function names.

•	Versatility: Can be adapted for different GraphQL APIs with minor configuration adjustments.

### Install

- via pipx:

```sh

pipx install git+https://github.com/phor3nsic/graphqlBrute

```

- via pip:

```sh

pip install git+https://github.com/phor3nsic/graphqlBrute

```

### Run

```sh

graphqlBrute -u http://target/graphql

```

### Security Considerations:

•	Ethical Use: This script should only be used for ethical security testing with proper authorization from the API owners.

•	Performance: Adjust the query submission rate to avoid overloading the target server.