From 00fd1c8efac72e7dc8848f0872a8edde60eb5484 Mon Sep 17 00:00:00 2001 From: dolevf Date: Tue, 2 Aug 2022 17:06:06 -0400 Subject: [PATCH 1/4] bump version --- version.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/version.py b/version.py index 2f59475..d749da4 100644 --- a/version.py +++ b/version.py @@ -1 +1 @@ -VERSION = '1.1.3' +VERSION = '1.1.4' From 52096114ef04d055524bb70587387fa47c823030 Mon Sep 17 00:00:00 2001 From: dolevf Date: Sun, 21 Aug 2022 22:10:56 -0400 Subject: [PATCH 2/4] add mercurius --- graphw00f/helpers.py | 6 ++++++ graphw00f/lib.py | 19 +++++++++++++++---- 2 files changed, 21 insertions(+), 4 deletions(-) diff --git a/graphw00f/helpers.py b/graphw00f/helpers.py index 46318af..ea14009 100644 --- a/graphw00f/helpers.py +++ b/graphw00f/helpers.py @@ -225,6 +225,12 @@ def get_engines(): 'url':'https://github.com/ohler55/agoo', 'ref':'https://github.com/nicholasaleks/graphql-threat-matrix/blob/master/implementations/agoo.md', 'technology':['Ruby'] + }, + 'mercurius':{ + 'name':'mercurius', + 'url':'https://github.com/mercurius-js/mercurius', + 'ref':'https://github.com/nicholasaleks/graphql-threat-matrix/blob/master/implementations/agoo.md', + 'technology':['JavaScript'] } } diff --git a/graphw00f/lib.py b/graphw00f/lib.py index 999f245..c405972 100644 --- a/graphw00f/lib.py +++ b/graphw00f/lib.py @@ -43,6 +43,8 @@ def execute(self, url): self.url = url if self.engine_lighthouse(): return 'lighthouse' + if self.engine_mercurius(): + return 'mercurius' elif self.engine_graphql_yoga(): return 'graphql_yoga' elif self.engine_agoo(): @@ -573,7 +575,7 @@ def engine_directus(self): return True return False - + def engine_lighthouse(self): query = ''' query { @@ -588,12 +590,21 @@ def engine_lighthouse(self): def engine_agoo(self): query = ''' - query { - zzz + query { + zzz } ''' response = self.graph_query(self.url, payload=query) if error_contains(response, 'eval error', part='code'): return True - + + return False + + def engine_mercurius(self): + query = '' + response = self.graph_query(self.url, payload=query) + + if error_contains(response, 'Unknown query'): + return True return False + From 29091cd2dbdc6acf6ffcfe5d77203c8423af44d2 Mon Sep 17 00:00:00 2001 From: dolevf Date: Sun, 21 Aug 2022 22:13:44 -0400 Subject: [PATCH 3/4] add tech --- graphw00f/helpers.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/graphw00f/helpers.py b/graphw00f/helpers.py index ea14009..921e7b3 100644 --- a/graphw00f/helpers.py +++ b/graphw00f/helpers.py @@ -230,7 +230,7 @@ def get_engines(): 'name':'mercurius', 'url':'https://github.com/mercurius-js/mercurius', 'ref':'https://github.com/nicholasaleks/graphql-threat-matrix/blob/master/implementations/agoo.md', - 'technology':['JavaScript'] + 'technology':['JavaScript', 'Node.js', 'TypeScript'] } } From d15da4b329cbb4f25cc5fff0d8e64511733eea99 Mon Sep 17 00:00:00 2001 From: dolevf Date: Sun, 21 Aug 2022 22:14:36 -0400 Subject: [PATCH 4/4] update readme --- README.md | 1 + 1 file changed, 1 insertion(+) diff --git a/README.md b/README.md index 69d2966..c53b51c 100644 --- a/README.md +++ b/README.md @@ -57,6 +57,7 @@ graphw00f currently attempts to discover the following GraphQL engines: * GraphQL Yoga - TypeScript * Lighthouse - PHP * Agoo - Ruby +* Mercurius - JavaScripts # GraphQL Threat Matrix The graphw00f project uses the [GraphQL Threat Matrix Project](https://github.com/nicholasaleks/graphql-threat-matrix/) as its technology security matrix database. When graphw00f successfully fingerprints a GraphQL endpoint, it will print out the threat matrix document. This document helps security engineers to identify how mature the technology is, what security features it offers, and whether it contains any CVEs.