Initial commit

.gitignore

@@ -0,0 +1,129 @@
+# Byte-compiled / optimized / DLL files
+__pycache__/
+*.py[cod]
+*$py.class
+
+# C extensions
+*.so
+
+# Distribution / packaging
+.Python
+build/
+develop-eggs/
+dist/
+downloads/
+eggs/
+.eggs/
+lib/
+lib64/
+parts/
+sdist/
+var/
+wheels/
+pip-wheel-metadata/
+share/python-wheels/
+*.egg-info/
+.installed.cfg
+*.egg
+MANIFEST
+
+# PyInstaller
+#  Usually these files are written by a python script from a template
+#  before PyInstaller builds the exe, so as to inject date/other infos into it.
+*.manifest
+*.spec
+
+# Installer logs
+pip-log.txt
+pip-delete-this-directory.txt
+
+# Unit test / coverage reports
+htmlcov/
+.tox/
+.nox/
+.coverage
+.coverage.*
+.cache
+nosetests.xml
+coverage.xml
+*.cover
+*.py,cover
+.hypothesis/
+.pytest_cache/
+
+# Translations
+*.mo
+*.pot
+
+# Django stuff:
+*.log
+local_settings.py
+db.sqlite3
+db.sqlite3-journal
+
+# Flask stuff:
+instance/
+.webassets-cache
+
+# Scrapy stuff:
+.scrapy
+
+# Sphinx documentation
+docs/_build/
+
+# PyBuilder
+target/
+
+# Jupyter Notebook
+.ipynb_checkpoints
+
+# IPython
+profile_default/
+ipython_config.py
+
+# pyenv
+.python-version
+
+# pipenv
+#   According to pypa/pipenv#598, it is recommended to include Pipfile.lock in version control.
+#   However, in case of collaboration, if having platform-specific dependencies or dependencies
+#   having no cross-platform support, pipenv may install dependencies that don't work, or not
+#   install all needed dependencies.
+#Pipfile.lock
+
+# PEP 582; used by e.g. github.com/David-OConnor/pyflow
+__pypackages__/
+
+# Celery stuff
+celerybeat-schedule
+celerybeat.pid
+
+# SageMath parsed files
+*.sage.py
+
+# Environments
+.env
+.venv
+env/
+venv/
+ENV/
+env.bak/
+venv.bak/
+
+# Spyder project settings
+.spyderproject
+.spyproject
+
+# Rope project settings
+.ropeproject
+
+# mkdocs documentation
+/site
+
+# mypy
+.mypy_cache/
+.dmypy.json
+dmypy.json
+
+# Pyre type checker
+.pyre/

LICENSE

@@ -0,0 +1,29 @@
+BSD 3-Clause License
+
+Copyright (c) 2021, graphw00f
+All rights reserved.
+
+Redistribution and use in source and binary forms, with or without
+modification, are permitted provided that the following conditions are met:
+
+1. Redistributions of source code must retain the above copyright notice, this
+   list of conditions and the following disclaimer.
+
+2. Redistributions in binary form must reproduce the above copyright notice,
+   this list of conditions and the following disclaimer in the documentation
+   and/or other materials provided with the distribution.
+
+3. Neither the name of the copyright holder nor the names of its
+   contributors may be used to endorse or promote products derived from
+   this software without specific prior written permission.
+
+THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
+AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
+DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE
+FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
+SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
+CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
+OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

README.md

@@ -0,0 +1,117 @@
+<h1 align="center">
+ <img src="https://github.com/dolevf/graphw00f/blob/main/static/graphw00f.png?raw=true" width="alt="graphw00f"/>
+ <br>
+ graphw00f - GraphQL Fingerprinting
+</h1>
+
+graphw00f (inspired by [wafw00f](https://github.com/EnableSecurity/wafw00f)) is a GraphQL fingerprinting tool. 
+
+# Table of Contents
+* [How does it work?](#how-does-it-work)
+* [Detections](#detections)
+* [GraphQL Technologies Defence Matrices](#graphql-technologies-defence-matrices)
+* [Prerequisites](#prerequisites)
+* [Installation](#installation)
+* [Support & Issues](#support-and-issues)
+* [Resources](#resources)
+
+
+# How does it work?
+graphw00f is a Python utility which attempts to send a mixture of benign and malformed queries to determine the GraphQL engine running behind the scenes.
+
+Different GraphQL servers respond uniquely to queries, mutations and subscriptions given the right payload, this makes it trivial to fingerprint and distinguish between the various GraphQL servers. (CWE: [CWE-200](#CWE-Reference))
+
+# Detections
+graphw00f currently attempts to discover the following GraphQL engines:
+* Graphene
+* Ariadne
+* Apollo
+* graphql-go
+* gqlgen
+* WPGraphQL
+* GraphQL API for Wordpress
+* Ruby GraphQL
+* graphql-php
+* Hasura
+* HyperGraphQL
+* GraphQL for Java
+
+# GraphQL Technologies Defence Matrices
+Each fingerprinted technology (e.g. Graphene, Ariadne, ...) has an associated document ([example for graphene](https://github.com/dolevf/graphw00f/blob/main/docs/graphene.md)) which covers the security defence mechanisms the specific technology supports to give a better idea how the implementation may be attacked.
+
+```
+| Field Suggestions | Query Depth Limit | Query Cost Analysis | Automatic Persisted Queries | Introspection      | Debug Mode | Batch Requests  |
+|-------------------|-------------------|---------------------|-----------------------------|--------------------|------------|-----------------|
+| On by Default     | No Support        | No Support          | No Support                  | Enabled by Default | N/A        | Off by Default  |
+```
+
+# Prerequisites
+* python3
+* requests                   
+
+# Installation
+## Clone Repository
+`git clone [email protected]:dolevf/graphw00f.git`
+
+## Run graphw00f
+`python3 main.py -h`
+
+```
+Usage: main.py -h
+
+Options:
+  -h, --help            show this help message and exit
+  -r, --noredirect      Do not follow redirections given by 3xx responses
+  -t URL, --target=URL  target url with the path
+  -o OUTPUT_FILE, --output-file=OUTPUT_FILE
+                        Output results to a file (CSV)
+  -l, --list            List all GraphQL technologies graphw00f is able to
+                        detect
+  -v, --version         Print out the current version and exit.
+```
+
+# Example
+```
+python3 main.py -t http://127.0.0.1:5000/graphql
+
++-------------------+           +--------------------+
+|      GRAPHQL      |           |     FINGERPRINT    |
++-------------------+           +--------------------+
+                  **              **                  
+                    ***        ***                    
+                       **    **                       
+                +-------------------+                 
+                |     graphw00f     |                 
+                +-------------------+                 
+                  ***            ***                  
+                **                  ***               
+              **                       **             
+    +--------------+              +--------------+       
+    |    Node X    |              |    Node Y    |       
+    +--------------+              +--------------+     
+                  ***            ***                  
+                     **        **                     
+                       **    **                       
+                    +------------+                      
+                    |   Node Z   |                      
+                    +------------+    
+
+                graphw00f - v1.0.0
+          The fingerprinting tool for GraphQL
+  
+[*] Checking if GraphQL is available at http://127.0.0.1:8088/graphql...
+[*] Found GraphQL.
+[*] Attempting to fingerprint...
+[*] Discovered GraphQL Engine!
+[!] The site https://www.graphql-java.com is using: graphql-java - GraphQL for Java
+[!] Attack Surface Matrix: https://github.com/dolevf/graphw00f/blob/main/docs/graphql-java.md
+[!] Technologies: Java
+[!] Homepage: https://www.graphql-java.com
+[*] Completed.
+```
+                                                                                                              
+# Support and Issues
+Any issues with graphw00f such as false/true positives, inaccurate detections, etc. please create a GitHub issue with environment details.
+
+# Resources
+Want to learn more about GraphQL? head over to my other project and hack GraphQL away: [Damn Vulnerable GraphQL Application](https://github.com/dolevf/Damn-Vulnerable-GraphQL-Application/)

conf.py

@@ -0,0 +1,7 @@
+# Custom Headers
+# HEADERS = {"User-Agent":"My User Agent"}
+HEADERS = {'User-Agent':'graphw00f'}
+
+# Custom Cookies
+# COOKIES = {"PHPSESS":"DEADBEEF"}
+COOKIES = {}

docs/apollo.md

@@ -0,0 +1,18 @@
+# Apollo
+
+# Table of Contents
+* [About](#About)
+* [Security Features](#Security-Features)
+
+# About
+Apollo Server is a community-maintained open-source GraphQL server. It works with many Node.js HTTP server frameworks, or can run on its own with a built-in Express server. Apollo Server works with any GraphQL schema built with GraphQL.js--or define a schema's type definitions using schema definition language (SDL).
+Apollo uses TypeScript as its language.
+
+# Security Features
+Apollo offers the following features:
+
+```
+| Field Suggestions | Query Depth Limit                | Query Cost Analysis              | Automatic Persisted Queries | Introspection                                  | Debug Mode                                                                    | Batch Requests  |
+|-------------------|----------------------------------|----------------------------------|-----------------------------|------------------------------------------------|-------------------------------------------------------------------------------|-----------------|
+| On by Default     | Supported via External Libraries | Supported via External Libraries | Supported                   | Enabled if NODE_ENV is not set to 'production' | exception.stacktrace exists if NODE_ENV is not set to 'production' or 'test'  | On by default   |
+```

docs/ariadne.md

@@ -0,0 +1,17 @@
+# Ariadne
+
+# Table of Contents
+* [About](#About)
+* [Security Features](#Security-Features)
+
+# About
+Ariadne is a Python library for implementing GraphQL servers using a schema-first approach.
+
+# Security Features
+Ariadne offers the following features:
+
+```
+| Field Suggestions | Query Depth Limit | Query Cost Analysis | Automatic Persisted Queries | Introspection      | Debug Mode     | Batch Requests  |
+|-------------------|-------------------|---------------------|-----------------------------|--------------------|----------------|-----------------|
+| On by Default     | Supported         | Supported           | No Support                  | Enabled by Default | Off by Default | No Support      |
+```

docs/gqlgen.md

@@ -0,0 +1,17 @@
+# gqlgen
+
+# Table of Contents
+* [About](#About)
+* [Security Features](#Security-Features)
+
+# About
+gqlgen is a Go library for building GraphQL servers without any fuss, based on schema-first approach.
+
+# Security Features
+gqlgen provides the following security features:
+
+```
+| Field Suggestions | Query Depth Limit | Query Cost Analysis | Automatic Persisted Queries | Introspection | Debug Mode     | Batch Requests  |
+|-------------------|-------------------|---------------------|-----------------------------|---------------|----------------|-----------------|
+| On by Default     | No Support        | Off by Default      | Off by Default              | On by Default | Off by Default | Off by Default  |
+```

docs/graphene.md

@@ -0,0 +1,17 @@
+# Graphene
+
+# Table of Contents
+* [About](#About)
+* [Security Features](#Security-Features)
+
+# About
+Graphene-Python is a library for building GraphQL APIs in Python easily, its main goal is to provide a simple but extendable API for making developers' lives easier.
+
+# Security Features
+Graphene offers the following features:
+
+```
+| Field Suggestions | Query Depth Limit | Query Cost Analysis | Automatic Persisted Queries | Introspection      | Debug Mode | Batch Requests  |
+|-------------------|-------------------|---------------------|-----------------------------|--------------------|------------|-----------------|
+| On by Default     | No Support        | No Support          | No Support                  | Enabled by Default | N/A        | Off by Default  |
+```

docs/graphql-go.md

@@ -0,0 +1,17 @@
+# GraphQL-Go
+
+# Table of Contents
+* [About](#About)
+* [Security Features](#Security-Features)
+
+# About
+An implementation of GraphQL in Go.
+
+# Security Features
+graphql-go offers the following features:
+
+```
+| Field Suggestions | Query Depth Limit | Query Cost Analysis | Automatic Persisted Queries | Introspection      | Debug Mode     | Batch Requests  |
+|-------------------|-------------------|---------------------|-----------------------------|--------------------|----------------|-----------------|
+| On by Default     | No Support        | No Support          | No Support                  | Enabled by Default | Off by Default | No Support      |
+```

docs/graphql-java.md

@@ -0,0 +1,17 @@
+# GraphQL Java
+
+# Table of Contents
+* [About](#About)
+* [Security Features](#Security-Features)
+
+# About
+The GraphQL Java is an implementation of the GraphQL specification for the Java language.
+
+# Security Features
+GraphQL Java offers the following security features:
+
+```
+| Field Suggestions | Query Depth Limit | Query Cost Analysis | Automatic Persisted Queries | Introspection      | Debug Mode | Batch Requests  |
+|-------------------|-------------------|---------------------|-----------------------------|--------------------|------------|-----------------|
+| On by Default     | Off by Default    | Off by Default      | No Support                  | Enabled by Default | No Support | Off by Default  |
+```