- Check if GraphQL introspection is enabled
- Export introspection data to JSON file
- Exports queries and mutations ready to test
- Executes queries and mutations in bulk or stand-alone
├── config.yml ├── go.mod ├── go.sum ├── img │ └── graphspecter.png ├── LICENSE ├── main.go ├── pkg │ ├── cli │ │ └── cli.go │ ├── cmd │ │ └── root.go │ ├── config │ │ ├── config.go │ │ └── merge.go │ ├── introspection │ │ └── introspection.go │ ├── logger │ │ └── logger.go │ ├── network │ │ └── client.go │ ├── schema │ │ └── schema.go │ ├── subscription │ │ └── client.go │ └── types │ └── types.go ├── README.md # Run in detection mode go run main.go --base http://192.168.1.1:5013 --detect # Execute a single query or mutation go run main.go \ --execute \ --base http://your.server/graphql \ --query-string 'query { users { id name } }' # Execute from files go run main.go \ --execute \ --base http://your.server/graphql \ --query-file getUser.graphql \ --vars-file getUser.json # Batch execution of all ops in 'ops' directory # (expects pairs: *.graphql + optional *.json vars) go run main.go \ --batch-dir ./ops \ --base http://your.server/graphql Usage of: -all-mutations Print all mutations -all-queries Print all queries -base string Base URL of the target (e.g. http://192.168.1.1:5013) -batch-dir string Directory of .graphql/.json pairs to execute in bulk (batch mode) -config string Path to config file (.yaml or .json) -detect Enable detection mode to find a GraphQL endpoint -execute Execute a query or mutation -list string List queries, mutations or both (valid: 'queries', 'mutations', 'all') -log-file string Log to file in addition to stdout -log-level string Log level (debug, info, warn, error) -max-depth int Maximum depth for selection sets (default 10) -mutation string Print named mutations (comma-separated) -no-color Disable colored output -output string Dump introspection schema (default "introspection_<endpoint>.json") -query string Print named queries (comma-separated) -query-file string Path to file containing GraphQL query -query-string string GraphQL query string to execute -schema-file string File with the GraphQL schema (introspection JSON) -sub-query string Subscription query to execute -subscribe Enable subscription mode -timeout duration Timeout for operations (e.g., 30s, 1m) (default 1s) -vars string Query variables as JSON string -vars-file string Path to JSON file with variables -ws-url string WebSocket URL for subscriptions (default "ws://192.168.1.100:5013/subscriptions") go build -o graphspecter # Check if introspection is enabled ./graphspecter -base http://192.168.1.1:5013 -detect -output results.json You can authenticate requests by setting the AUTH_TOKEN environment variable. When set, all requests will include an Authorization: Bearer <token> header.
Example:
# Set the authentication token export AUTH_TOKEN="your-token-here" - GraphQL introspection is a feature that allows clients to query a GraphQL server for information about its schema.
- While useful for development, introspection should typically be disabled in production environments as it may expose sensitive information about your API structure.
- The injections tests in
./opsare run against https://github.com/dolevf/Damn-Vulnerable-GraphQL-Application, adding also #hackthebox attacks samples from https://academy.hackthebox.com/course/preview/attacking-graphql