freeBuf
主站

分类

漏洞 工具 极客 Web安全 系统安全 网络安全 无线安全 设备/客户端安全 数据安全 安全管理 企业安全 工控安全

特色

头条 人物志 活动 视频 观点 招聘 报告 资讯 区块链安全 标准与合规 容器安全 公开课

官方公众号企业安全新浪微博

FreeBuf.COM网络安全行业门户,每日发布专业的安全资讯、技术剖析。

FreeBuf+小程序

FreeBuf+小程序

graphw00f:一款功能强大的GraphQL服务器引擎指纹识别工具
2021-09-30 06:18:44

关于graphw00f

graphw00f是一款针对GQL节点的GraphQL指纹识别工具,该工具可以混合发送良性和恶意查询请求,以帮助广大研究人员识别和确定目标应用程序背后的GraphQL引擎。

graphw00f可以为广大研究人员提供关于每种技术所具备的即时安全防御策略,以及相关安全保护技术默认情况下是打开还是关闭的。精心构建的查询请求会导致不同的GraphQL服务器实现对查询、突变和订阅做出不同的响应,以实现我们对后端引擎进行指纹识别并区分不同的GraphQL实现。

安全检测

当前版本的graphw00f将尝试检测和发现下列GraphQL引擎:

Graphene - Python

Ariadne - Python

Apollo - TypeScript

graphql-go - Go

gqlgen - Go

WPGraphQL - PHP

GraphQL API for Wordpress - PHP

Ruby - GraphQL

graphql-php - PHP

Hasura - Haskell

HyperGraphQL - Java

graphql-java - Java

Juniper - Rust

Sangria - Scala

Flutter - Dart

Diana.jl - Julia

Strawberry - Python

Tartiflette - Python

GraphQL技术防御矩阵

每个指纹技术(如Graphene、Ariadne等)都有一个相关文档(例如Graphene),其中涵盖了特定技术支持的安全防御机制,以便更好地了解如何攻击实现。

| Field Suggestions | Query Depth Limit | Query Cost Analysis | Automatic Persisted Queries | Introspection      | Debug Mode | Batch Requests  |

|-------------------|-------------------|---------------------|-----------------------------|--------------------|------------|-----------------|

| On by Default     | No Support        | No Support          | No Support                  | Enabled by Default | N/A        | Off by Default  |

工具依赖

python3

requests

工具安装&运行

首先,我们需要使用下列命令将该项目源码克隆至本地:

git clone git@github.com:dolevf/graphw00f.git

接下来,使用下列命令运行graphw00f,并查看工具帮助信息:

python3 main.py -h
Usage: main.py -t http://example.com/graphql -f
Options:
  -h, --help            show this help message and exit
  -r, --noredirect      Do not follow redirections given by 3xx responses
  -t URL, --target=URL  target url with the path
  -f, --fingerprint     fingerprint mode
  -d, --detect          detect mode
  -T TIMEOUT, --timeout=TIMEOUT
                       Request timeout in seconds
  -o OUTPUT_FILE, --output-file=OUTPUT_FILE
                        Output results to a file (CSV)
  -l, --list            List all GraphQL technologies graphw00f is able to
                        detect
  -v, --version         Print out the current version and exit.

工具使用

识别GraphQL指纹

在这个例子中,我们将识别一个GraphQL节点的具体位置:

python3 main.py -f -t https://demo.hypergraphql.org:8484/graphql
                +-------------------+                 
                |     graphw00f                  
                +-------------------+                 
                  ***            ***               
                **                  ***         
              **                       **        

    +--------------+              +--------------+       
    |    Node X    |              |    Node Y    |    
    +--------------+              +--------------+     

                  ***            ***                  
                   **        **                     
                       **    **                       
                    +------------+                    
                    |   Node Z   |                      
                   +------------+    
                graphw00f - v1.0.4
          The fingerprinting tool for GraphQL
           Dolev Farhi <dolev@lethalbit.com>
[*] Checking if GraphQL is available at https://demo.hypergraphql.org:8484/graphql...

[*] Found GraphQL...

[*] Attempting to fingerprint...

[*] Discovered GraphQL Engine: (HyperGraphQL)

[!] Attack Surface Matrix: https://github.com/dolevf/graphw00f/blob/main/docs/hypergraphql.md

[!] Technologies: Java

[!] Homepage: https://www.hypergraphql.org

[*] Completed.

检测和识别GraphQL指纹

在这个例子中,graphw00f可以检测GraphQL的活动状态,并执行指纹识别进程:

python3 main.py -f -d -t http://localhost:5000             

                +-------------------+                 

                |     graphw00f                     
                +-------------------+                 

                  ***            ***                  
                **                  ***               
              **                       **             
    +--------------+              +--------------+       

    |    Node X    |              |    Node Y    |       
    +--------------+              +--------------+     

                  ***            ***                

                     **        **                  
                       **    **                       
                    +------------+                      
                    |   Node Z   |                      
                    +------------+    

                graphw00f - v1.0.4

          The fingerprinting tool for GraphQL
         Dolev Farhi <dolev@lethalbit.com>
[*] Checking http://dvga.example.local:5000/graphql
[!] Found GraphQL at http://dvga.example.local:5000/graphql
[*] Attempting to fingerprint...
[*] Discovered GraphQL Engine: (Graphene)
[!] Attack Surface Matrix: https://github.com/dolevf/graphw00f/blob/main/docs/graphene.md
[!] Technologies: Python
[!] Homepage: https://graphene-python.org

[*] Completed.

项目地址

graphw00f:GitHub传送门

参考资料

https://github.com/dolevf/Damn-Vulnerable-GraphQL-Application/

本文作者:, 转载请注明来自FreeBuf.COM

# 指纹识别 # GraphQL
被以下专辑收录,发现更多精彩内容
+ 收入我的专辑
评论 按热度排序

登录/注册后在FreeBuf发布内容哦

相关推荐
\
  • 0 文章数
  • 0 评论数
  • 0 关注者
文章目录
登录 / 注册后在FreeBuf发布内容哦
收入专辑