Hello @dolevf,

I have been trying to fingerprint a graphql endpoint (sandboxed) for as part of a bug bounty program, but it keeps crashing:

~/graphw00f$ python main.py -f -t https://app.sandbox.xxxxxxxx.com/graphql

            +-------------------+
            |     graphw00f     |
            +-------------------+
              ***            ***
            **                  **
          **                      **
+--------------+              +--------------+
|    Node X    |              |    Node Y    |
+--------------+              +--------------+
              ***            ***
                 **        **
                   **    **
                +------------+
                |   Node Z   |
                +------------+

            graphw00f - v1.1.3
      The fingerprinting tool for GraphQL
       Dolev Farhi <[email protected]>

[*] Checking if GraphQL is available at https://app.sandbox.xxxxxxxx.com/graphql... [!] Found GraphQL. [*] Attempting to fingerprint... Traceback (most recent call last): File "/home/andrew/graphw00f/main.py", line 153, in main() File "/home/andrew/graphw00f/main.py", line 129, in main result = g.execute(url) File "/home/andrew/graphw00f/graphw00f/lib.py", line 52, in execute elif self.engine_graphene(): File "/home/andrew/graphw00f/graphw00f/lib.py", line 147, in engine_graphene if error_contains(response, 'Syntax Error GraphQL (1:1)'): File "/home/andrew/graphw00f/graphw00f/helpers.py", line 32, in error_contains err_message = i.get(part, '') AttributeError: 'str' object has no attribute 'get'

To get anything sensible out of this endpoint, large authorization tokens are required (token is length 992 chars) and I wondered if this might be the root cause (but I maybe wrong). I have been using the long API keys successfully with Altair and configured one of these in conf.py. graphw00f runs fine against a localhost graphql installation.

Cheers.

While testing on an Ariadne engine sending query @deprecated {__typename} returned Directive '@deprecated' may not be used on query. which is the signature for strawberry.

Using [email protected]:dolevf/graphw00f.git will give you permission denied, It's suppose to be https://github.com/dolevf/graphw00f.git , just change it in your README file or a lot of people will get confused.

Hi !

Great project ! Is it possible (or is it planned) to add a custom header? I have a graphql app with an secure auth and I would need to add an authorization header in the request. Is it possible ?

Thanks ! Trobyss'

edit: I just find the conf.py :) it would be cool if it was specified in the readme

Graphw00f 1.0.8 has a new AWS AppSync fingerprint signature. It will be useful to create an attack surface matrix markdown file under docs/ for it to list the type of security features it offers and whether its vulnerable by default to GraphQL-ish things.

Hello @dolevf,

I work at Escape, a platform that helps developers find and fix the security flaws of their GraphQL endpoint, directly inside the CI-CD pipeline.

Therefore, I am glad to contribute to your repository to make GraphQL safer, by providing a detection for Aws AppSync which is largely used in the ecosystem.

Hope you will find it useful.

Btw, checkout our free tool, graphql.security to run dozens of GraphQL security tests for free, in ten seconds and without any sign-in. Also, results are private and not stored.

Added support for explicit proxy specification through requests' built in proxy support. As a result, you don't need to rely on system proxies or set environment variables :)

Using --proxy specifies an explicit proxy location. Using --burp uses the default Burp Suite proxy: 127.0.0.1:8080.

Could you release a pyproject.toml file to make install a&nd packaging easier?

• pyproject.toml
• How to Publish an Open-Source Python Package to PyPI
• The pyproject.toml file

Address #20

• refactor: print to logging module.
• refactor: fstring over format (Graphw00f is targeting python3)
• feat: logger.py that contains logger setup that we can later adjust.
• chore: drop color class

Address #18

• feat: added CD workflow | Will create release/push to pypi on tag.
• feat: pyproject file
• refactor: version system
• refactor: moved scripts assets into the main repository

Instead of doing python main.py which is an anti pattern and not sustainable, you will be able to install using pip and call it like graphw00f .... You are also able to call it using python -m graphw00f from a local directory.

To setup the local env using poetry, install poetry (pip install poetry) and then do poetry install poetry shell.