Skip to content

Escape-Technologies/awesome-graphql-security

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

53 Commits
 
 
 
 
 
 
 
 
 
 

Repository files navigation

Awesome GraphQL Security awesome

A curated list of awesome GraphQL Security frameworks, libraries, software, and resources.

Contents

Defensive Security

Authentication & Authorization

Continous Security Testing

  • Escape - GraphQL Security - Continuous GraphQL Security Testing for Developers. Find and fix GraphQL security flaws in the CI/CD.
  • GraphQL Cop - Utility to run common security tests against GraphQL APIs that can be run inside CI/CD.

Middlewares

  • GraphQL Armor - Highly customizable security middleware for Apollo GraphQL and Envelop servers.

Security Solutions

Neutral Security

Clients and IDEs

  • Postman - An API platform for developers to design, build, test and iterate their APIs.
  • Insomnia - Design and test GraphQL APIs with ease.
  • Altair - GraphQL Client helps you debug GraphQL queries and implementations. Also distributed as a Browser Extension.
  • Hoppscotch - Online REST and GraphQL client

Self-Discovery

  • GraphMan - Generate a complete Postman collection from a GraphQL endpoint. Allows instant and easy discovery and exploration of the API.

Visualizers

  • Voyager - Represent any GraphQL API as an interactive graph.
  • GraphQL Inspector – Validate schema, get schema change notifications, validate operations, find breaking changes, look for similar types, schema coverage.
  • GraphQL Rover - GraphQL schema viewer for endpoints with introspection
  • CraftQL - CLI GraphQL schema viewer, view schema diagram on the terminal or generate graphviz .dot format file

Offensive Security

Discovery

  • Graphinder - Blazing fast GraphQL endpoints finder using subdomain enumeration, scripts analysis and bruteforce.
  • Graphw00f - GraphQL Server Engine Fingerprinting utility.
  • Clairvoyance - Patrial introspection fetcher when introspection is disabled.
  • GraphQL Path Enum – Tool that lists the different ways of reaching a given type in a GraphQL schema.
  • ShapeShifter - Schema extraction to JSON file with introspection.
  • Goctopus - a GraphQL endpoint discovery and fingerprinting tool.

Exploitation

  • GraphCrawler - A GraphQL automated security toolkit. Grab introspection, search for sensitive queries, and then test authorization.
  • CrackQL - GraphQL password brute-force and fuzzing utility.
  • GraphQLMap - A scripting engine to interact with a GraphQL endpoint for pentesting purposes.
  • GraphQL.Security - One-click quick security scan of your GraphQL endpoints. Free, no login required.
  • GraphQL Threat Matrix - GraphQL threat framework to research security gaps in GraphQL implementations.
  • InQL - A Burp Extension for GraphQL Security Testing.
  • BatchQL - GraphQL security auditing script with a focus on performing batch GraphQL queries and mutations.
  • GraphQL wordlist - the only GraphQL wordlist for pentesting you'll ever need. Operations, field names, type names. It was collected on more than 60k distinct GraphQL schemas.

Vulnerable Applications

Resources

Blogs

Papers

Vulnerabilities

Contributing

Your contributions are always welcome! Please take a look at the contribution guidelines first.

We will keep some pull requests open if we are not sure whether those libraries are awesome, you could vote for them by adding 👍 to them.


If you have any question about this opinionated list, do not hesitate to contact us @escapetechHQ on Twitter or open an issue on GitHub.

🤝 Join our team

We believe it's time to bring more AI-driven innovation to cybersecurity, and we'd love your help in building this dream! Want to join our adventure? Check out our Careers page!

About

A curated list of awesome GraphQL Security frameworks, libraries, software and resources

Topics

Resources

License

Contributing

Stars

396 stars

Watchers

7 watching

Forks

Contributors