Hi Dolev,

I've just found this new tool of yours and it looks pretty cool!
I've tested it on an assessment I had at work and I've found minor things that could be improved - of course it works perfectly on dvga!
I'll see if I can submit some little PRs if I find the time

Quick question: looking at info_trace_mode.py, I am not able to understand what it looks for in order to decide if trace mode is enable.
Would you mind to explain?
I tried to alter the related query to:
{"query": "query { __typenaaame }"}

and I get on dvga:
HTTP/1.1 400 BAD REQUEST
Content-Type: application/json
Content-Length: 117
Date: Fri, 19 Aug 2022 18:53:39 GMT

{"errors":[{"message":"Cannot query field "__typenaaame" on type "Query".","locations":[{"line":1,"column":9}]}]}

But it's still not flagged as an issue.
I am not sure how these lines work, to be honest:
try:
if gql_response.json().get('errors', {}).get('extensions', {}).get('tracing'):
res['result'] = True
elif gql_response.json().get('errors', {}).get('extensions', {}).get('exception', None):
res['result'] = True
elif 'stacktrace' in str(gql_response.json()).lower():
res['result'] = True
except:
pass

Thank you for another awesome tool and for dvga v2!

I tried to run python graphql-cop.py , but it throws error like this

Traceback (most recent call last):
File "graphql-cop.py", line 9, in
from lib.tests.info_field_suggestions import field_suggestions
ModuleNotFoundError: No module named 'lib.tests'

The JSON output when using the -o json option is invalid.

A snippet from the very start of the output:

{'result': False, ...

This should look like this:

{"result": false, ...

I'll create a PR 😃

Fix is_graphql function to better handle anomalies in responses

It would be very helpful if you could add tags. This would make it easier to keep track and include graphql-cop into distributions.

Thanks

@dolevf ,
In continuation with the issue earlier discussed : #27

We are planning to use the library in our org. But it requires licensing details and also needs to be available as a package as downloading public git repo's are not allowed. So any plan to package and publish it as it would be helpful

Aswathy

I tried several times both on local and real URLs but did not succeed. The error is like the following.

Ps: the project is on and lives in port 1003.

x@Mac graphql-cop % python3 graphql-cop.py -t http://192.168.1.2:1003/graphql
Traceback (most recent call last):
  File "/path/to/folder/graphql-cop/graphql-cop.py", line 64, in <module>
    if field_suggestions(url, proxy, HEADERS):
TypeError: field_suggestions() takes 1 positional argument but 3 were given

The following code at line 87:

for path in paths:
    if not is_graphql(path, proxy, HEADERS):
        print(path, 'does not seem to be running GraphQL.')
        continue
    for test in tests:
        json_output.append(test(path, proxy, HEADERS))

Is not finding graphql endpoints that are clearly present.

If I comment out the if not is_graphql statement and run the tests, the tests are successful.

Hi,

I would like to know if graphql-cop can be imported as a package

Aswathy

Every time I run the command python3 graphql-cop -t {target IP} i get this output. I am not sure what to do please advise.

Traceback (most recent call last):
File "/home/hapihacker/tools/graphql-cop/graphql-cop.py", line 101, in
json_output.append(test(path, proxy, HEADERS, options.debug_mode))
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/home/hapihacker/tools/graphql-cop/lib/tests/dos_field_duplication.py", line 22, in field_duplication
res['curl_verify'] = curlify(gql_response)
^^^^^^^^^^^^^^^^^^^^^
File "/home/hapihacker/tools/graphql-cop/lib/utils.py", line 9, in curlify
req = obj.request
^^^^^^^^^^^
AttributeError: 'dict' object has no attribute 'request'

Hi Doleh,

do you think graphql-cop should use the Accept: application/json header by default instead of */* ?
As I mentioned previously, the environment where I tested would immediately error out if the Accept header was not application/json.

Additionally, have you noticed that running it against DVGA does not return the GraphiQL IDE finding unless Accept is set to text/html ?
We can override the header with -H, but I was thinking of setting it by default in the info_graphiql.py check.
Two lines of codes for a PR: one before the check to set it and one before the end to remove it, if you want :)

Currently there is no license statement. Could you please add a LICENSE file that contains the license text. Shipping the LICENSE file is a requirement for some distributions (e.g., Fedora).

Thanks.

While attempting to run the script, I received the following error: ModuleNotFoundError: No module named 'lib.tests'. After reviewing the lib and tests directory I noticed you're missing a init.py file in both directories. After adding the init.py file, the script runs as expected. I assuming this is broken for a reason?