maride/hacktricks
1
0
Fork 0
mirror of https://github.com/HackTricks-wiki/hacktricks.git synced 2025-10-10 18:36:50 +00:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #1009 from reycotallo98/feature/add-graphql-tool

Browse Source 
Add my GraphQL DoS testing repo to HackTricks
This commit is contained in:
SirBroccoli 2025-02-05 11:21:24 +01:00 committed by GitHub
commit f314d276f8
1 changed files with 4 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
src/network-services-pentesting/pentesting-web/graphql.md
View File

@ -615,6 +615,10 @@ curl -X POST -H "User-Agent: graphql-cop/1.13" -H "Content-Type: application/jso
- [https://github.com/doyensec/inql](https://github.com/doyensec/inql): Burp extension or python script for advanced GraphQL testing. The _**Scanner**_ is the core of InQL v5.0, where you can analyze a GraphQL endpoint or a local introspection schema file. It auto-generates all possible queries and mutations, organizing them into a structured view for your analysis. The _**Attacker**_ component lets you run batch GraphQL attacks, which can be useful for circumventing poorly implemented rate limits: `python3 inql.py -t http://example.com/graphql -o output.json`
- [https://github.com/nikitastupin/clairvoyance](https://github.com/nikitastupin/clairvoyance): Try to get the schema even with introspection disabled by using the help of some Graphql databases that will suggest the names of mutations and parameters.
### Scripts to exploit common vulnerabilities
- [https://github.com/reycotallo98/pentestScripts/tree/main/GraphQLDoS](https://github.com/reycotallo98/pentestScripts/tree/main/GraphQLDoS): Collection of scripts for exploiting denial-of-service vulnerabilities in vulnerable graphql environments.
### Clients
- [https://github.com/graphql/graphiql](https://github.com/graphql/graphiql): GUI client