From 42f7751aa3be4eeddf2fb1cb16c686b98d410db5 Mon Sep 17 00:00:00 2001 From: redDev Date: Fri, 31 Jan 2025 02:19:37 +0100 Subject: [PATCH] Add my GraphQL DoS testing repo to HackTricks --- src/network-services-pentesting/pentesting-web/graphql.md | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/src/network-services-pentesting/pentesting-web/graphql.md b/src/network-services-pentesting/pentesting-web/graphql.md index 4f95149a0..61ebf389c 100644 --- a/src/network-services-pentesting/pentesting-web/graphql.md +++ b/src/network-services-pentesting/pentesting-web/graphql.md @@ -615,6 +615,10 @@ curl -X POST -H "User-Agent: graphql-cop/1.13" -H "Content-Type: application/jso - [https://github.com/doyensec/inql](https://github.com/doyensec/inql): Burp extension for advanced GraphQL testing. The _**Scanner**_ is the core of InQL v5.0, where you can analyze a GraphQL endpoint or a local introspection schema file. It auto-generates all possible queries and mutations, organizing them into a structured view for your analysis. The _**Attacker**_ component lets you run batch GraphQL attacks, which can be useful for circumventing poorly implemented rate limits. - [https://github.com/nikitastupin/clairvoyance](https://github.com/nikitastupin/clairvoyance): Try to get the schema even with introspection disabled by using the help of some Graphql databases that will suggest the names of mutations and parameters. +### Scripts to exploit common vulnerabilities + +- [https://github.com/reycotallo98/pentestScripts/tree/main/GraphQLDoS](https://github.com/reycotallo98/pentestScripts/tree/main/GraphQLDoS): Collection of scripts for exploiting denial-of-service vulnerabilities in vulnerable graphql environments. + ### Clients - [https://github.com/graphql/graphiql](https://github.com/graphql/graphiql): GUI client