Escape-Technologies · nohehf · Mar 14, 2023 · Mar 14, 2023 · Jul 21, 2023 · Jul 21, 2023
@@ -3,7 +3,6 @@ package main
 import (
 	"os"
 
-	"github.com/Escape-Technologies/goctopus/internal/utils"
 	"github.com/Escape-Technologies/goctopus/pkg/config"
 	"github.com/Escape-Technologies/goctopus/pkg/goctopus"
 
@@ -12,9 +11,6 @@ import (
 
 func main() {
 	config.LoadFromArgs()
-	if !config.Get().Silent {
-		utils.PrintASCII()
-	}
 
 	if config.Get().InputFile != "" {
 		input, err := os.Open(config.Get().InputFile)

@@ -22,6 +22,7 @@ type Config struct {
 	FieldSuggestion      bool
 	WebhookUrl           string
 	SubdomainEnumeration bool
+	EngineFingerprinting bool
 }
 
 var (
@@ -61,9 +62,10 @@ func LoadFromArgs() {
 	flag.BoolVar(&config.Introspection, "introspect", false, "Enable introspection fingerprinting")
 	flag.BoolVar(&config.FieldSuggestion, "suggest", false, "Enable fields suggestion fingerprinting.\nNeeds \"introspection\" to be enabled.")
 	flag.BoolVar(&config.SubdomainEnumeration, "subdomain", false, "Enable subdomain enumeration")
+	flag.BoolVar(&config.EngineFingerprinting, "engine", false, "[Experimental] Enable GraphQL engine fingerprinting")
 
 	// -a (All) flag enables all fingerprinting methods
-	all := flag.Bool("a", false, "(All) Enable all fingerprinting methods: introspection, field suggestion, subdomain enumeration")
+	all := flag.Bool("a", false, "(All) Enable all stable fingerprinting methods: introspection, field suggestion, subdomain enumeration")
 
 	flag.Parse()
 
@@ -85,6 +87,10 @@ func LoadFromArgs() {
 		log.SetLevel(log.ErrorLevel)
 	}
 
+	if !config.Silent {
+		utils.PrintASCII()
+	}
+
 	if err := validateConfig(&config, true); err != nil {
 		log.Error(err)
 		flag.PrintDefaults()
@@ -114,6 +120,10 @@ func validateConfig(conf *Config, isCli bool) error {
 		return errors.New("[Invalid config] Please specify an input file or a list of addresses")
 	}
 
+	if conf.EngineFingerprinting {
+		log.Warn("[Experimental] GraphQL engine fingerprinting is enabled. This feature is experimental and may produce false positives. Contributions are welcome to add new engines and test the feature.")
+	}
+
 	return nil
 }
 
@@ -133,4 +143,8 @@ func Load(config *Config) {
 	if c.Silent {
 		log.SetLevel(log.ErrorLevel)
 	}
+
+	if !config.Silent {
+		utils.PrintASCII()
+	}
 }
@@ -2,6 +2,7 @@ package endpoint
 
 import (
 	"github.com/Escape-Technologies/goctopus/pkg/address"
+	"github.com/Escape-Technologies/goctopus/pkg/engine"
 	"github.com/Escape-Technologies/goctopus/pkg/graphql"
 	"github.com/Escape-Technologies/goctopus/pkg/http"
 	"github.com/Escape-Technologies/goctopus/pkg/introspection"
@@ -18,6 +19,7 @@ type endpointFingerprinter interface {
 	IsAuthenticatedGraphql() (bool, error)
 	HasFieldSuggestion() (bool, error)
 	HasIntrospectionOpen() (bool, error)
+	GetEngine() string
 }
 
 func NewEndpointFingerprinter(url *address.Addr, client http.Client) endpointFingerprinter {
@@ -42,3 +44,7 @@ func (e *_endpointFingerprinter) HasFieldSuggestion() (bool, error) {
 func (e *_endpointFingerprinter) HasIntrospectionOpen() (bool, error) {
 	return introspection.FingerprintIntrospection(e.url.Address, e.client)
 }
+
+func (e *_endpointFingerprinter) GetEngine() string {
+	return engine.FingerprintEngine(e.url.Address, e.client)
+}
@@ -23,6 +23,10 @@ func fingerprintEndpoint(url *address.Addr, e endpointFingerprinter, config *con
 		return nil, err
 	}
 
+	if config.EngineFingerprinting {
+		out.Engine = e.GetEngine()
+	}
+
 	if !isOpenGraphql {
 		isAuthenticatedGraphql, err := e.IsAuthenticatedGraphql()
 		if err != nil {

@@ -33,6 +33,10 @@ func (m *mockedEndpointFingerprinter) HasFieldSuggestion() (bool, error) {
 	return m.fieldSuggestion, nil
 }
 
+func (m *mockedEndpointFingerprinter) GetEngine() string {
+	return ""
+}
+
 func (m *mockedEndpointFingerprinter) Close() {}
 
 func makeMockedEndpointFingerprinter(graphql bool, introspection bool) *mockedEndpointFingerprinter {
@@ -42,7 +46,7 @@ func makeMockedEndpointFingerprinter(graphql bool, introspection bool) *mockedEn
 	}
 }
 
-// @todo test field suggestion
+// @todo test field suggestion & engine fingerprinting
 func TestFingerprintUrl(t *testing.T) {
 
 	url := &address.Addr{

@@ -0,0 +1,11 @@
+package engine
+
+var T = &engine{
+	Name: "",
+	Imprints: []imprint{
+		{
+			Query:   "",
+			Matcher: inResponseText([]string{""}),
+		},
+	},
+}
@@ -0,0 +1,15 @@
+package engine
+
+var Adriane = &engine{
+	Name: "Adriane",
+	Imprints: []imprint{
+		{
+			Query:   "",
+			Matcher: inResponseText([]string{"The query must be a string."}),
+		},
+		{
+			Query:   "query { __typename @abc }",
+			Matcher: inResponseText([]string{"Unknown directive '@abc'."}),
+		},
+	},
+}
@@ -0,0 +1,11 @@
+package engine
+
+var Agoo = &engine{
+	Name: "agoo",
+	Imprints: []imprint{
+		{
+			Query:   "query { zzz }",
+			Matcher: inSection("code", []string{"eval error"}),
+		},
+	},
+}
@@ -0,0 +1,21 @@
+package engine
+
+var Apollo = &engine{
+	Name: "Apollo",
+	Imprints: []imprint{
+		{
+			Query: "query @deprecated { __typename }",
+			Matcher: inResponseText([]string{
+				"Directive \\\"@deprecated\\\" may not be used on QUERY.",
+				"Directive \\\"deprecated\\\" may not be used on QUERY.",
+			}),
+		},
+		{
+			Query: "query @skip { __typename }",
+			Matcher: inResponseText([]string{
+				"Directive \\\"@skip\\\" argument \\\"if\\\" of type \\\"Boolean!\\\" is required, but it was not provided",
+				"Directive \\\"skip\\\" argument \\\"if\\\" of type \\\"Boolean!\\\" is required, but it was not provided",
+			}),
+		},
+	},
+}
@@ -0,0 +1,11 @@
+package engine
+
+var AWSAppSync = &engine{
+	Name: "AWSAppSync",
+	Imprints: []imprint{
+		{
+			Query:   "query @skip { __typename }",
+			Matcher: inResponseText([]string{"MisplacedDirective"}),
+		},
+	},
+}
@@ -0,0 +1,125 @@
+package engine
+
+import (
+	"bytes"
+	"encoding/json"
+
+	"github.com/Escape-Technologies/goctopus/pkg/http"
+
+	log "github.com/sirupsen/logrus"
+)
+
+type engine struct {
+	Name     string
+	Imprints []imprint
+}
+
+type imprint struct {
+	Query   string
+	Matcher matcher
+}
+
+// A responseMatcher is a function that takes a response body and returns true if the response matches the engine.
+type matcher func(responseBody *[]byte) bool
+
+// inResponseText returns a responseMatcher that checks if the response body contains any of the given strings.
+func inResponseText(matches []string) matcher {
+	return func(responseBody *[]byte) bool {
+		for _, match := range matches {
+			if bytes.Contains(*responseBody, []byte(match)) {
+				return true
+			}
+		}
+		return false
+	}
+}
+
+// inSection returns a responseMatcher that checks if the response body contains any of the given strings in the given section.
+func inSection(section string, matches []string) matcher {
+	return func(responseBody *[]byte) bool {
+		var reponseBody map[string]interface{}
+		err := json.Unmarshal(*responseBody, &reponseBody)
+		if err != nil {
+			log.Debugf("Error unmarshalling response body: %v", err)
+			return false
+		}
+		content, err := json.Marshal(reponseBody[section])
+		if err != nil {
+			return false
+		}
+		for _, match := range matches {
+			if bytes.Contains(content, []byte(match)) {
+				return true
+			}
+		}
+		return false
+	}
+}
+
+// hasJsonKey returns a responseMatcher that checks if the response body contains the given key.
+func hasJsonKey(key string) matcher {
+	return func(responseBody *[]byte) bool {
+		var reponseBody map[string]interface{}
+		json.Unmarshal(*responseBody, &reponseBody)
+		_, ok := reponseBody[key]
+		return ok
+	}
+}
+
+// Order is important here, as the first match will be returned.
+// The order has been determined by the usage statistics of the engines. (The higher the usage, the higher the priority.)
+var Engines = []*engine{
+	Apollo,
+	AWSAppSync,
+	Agoo,
+	GraphQLGo,
+	Ruby,
+	GraphQLPHP,
+	Graphene,
+	Adriane,
+	GraphQLGopherGo,
+}
+
+func addScore(engineName string, scores map[string]int) {
+	if _, ok := scores[engineName]; !ok {
+		scores[engineName] = 0
+	}
+	scores[engineName]++
+}
+
+func FingerprintEngine(url string, client http.Client) string {
+	scores := make(map[string]int) // engine name -> score
+	for _, engine := range Engines {
+		for _, imprint := range engine.Imprints {
+			log.Debugf("Trying to match %s with %s", imprint.Query, engine.Name)
+			requestBody := http.QueryToRequestBody(imprint.Query)
+			resp, err := client.Post(url, []byte(requestBody))
+			if err != nil {
+				log.Debugf("Error from %v: %v", url, err)
+				continue
+			}
+			log.Debugf("Response: %s", resp.Body)
+			if imprint.Matcher(resp.Body) {
+				addScore(engine.Name, scores)
+			}
+		}
+	}
+
+	log.Debugf("Scores for %s: %v", url, scores)
+
+	// Find the engine with the highest score.
+	var maxScore int
+	var maxScoreEngine string
+	for engineName, score := range scores {
+		if score > maxScore {
+			maxScore = score
+			maxScoreEngine = engineName
+		}
+	}
+
+	if maxScore > 0 {
+		return maxScoreEngine
+	}
+
+	return "unknown"
+}
@@ -0,0 +1,11 @@
+package engine
+
+var Graphene = &engine{
+	Name: "Graphene",
+	Imprints: []imprint{
+		{
+			Query:   "query { aaa }",
+			Matcher: inResponseText([]string{"Syntax Error GraphQL (1:1)"}),
+		},
+	},
+}
@@ -0,0 +1,19 @@
+package engine
+
+var GraphQLGo = &engine{
+	Name: "GraphQLGo",
+	Imprints: []imprint{
+		{
+			Query:   "",
+			Matcher: inResponseText([]string{"Must provide an operation."}),
+		},
+		{
+			Query:   "query  { __typename {}",
+			Matcher: inResponseText([]string{"Unexpected empty IN"}),
+		},
+		{
+			Query:   "query  { __typename }",
+			Matcher: inResponseText([]string{"RootQuery"}),
+		},
+	},
+}
@@ -0,0 +1,11 @@
+package engine
+
+var GraphQLGopherGo = &engine{
+	Name: "",
+	Imprints: []imprint{
+		{
+			Query:   "query {}",
+			Matcher: hasJsonKey("data"),
+		},
+	},
+}
@@ -0,0 +1,19 @@
+package engine
+
+var GraphQLJava = &engine{
+	Name: "",
+	Imprints: []imprint{
+		{
+			Query:   "",
+			Matcher: inResponseText([]string{"Invalid Syntax : offending token '<EOF>'"}),
+		},
+		{
+			Query:   "query @aaa@aaa { __typename }",
+			Matcher: inResponseText([]string{"Validation error of type DuplicateDirectiveName: Directives must be uniquely named within a location."}),
+		},
+		{
+			Query:   "queryy { __typename }",
+			Matcher: inResponseText([]string{"Invalid Syntax : offending token 'queryy'"}),
+		},
+	},
+}