Empowering Secure GraphQL APIs - An Open-Source Penetration Testing Wordlist

In the dynamic field of cybersecurity, the adage "the best defense is a good offense" remains profoundly relevant. This principle finds embodiment in the concept of offensive security, where the focus is on actively seeking out vulnerabilities within systems, preemptively addressing them to thwart potential exploitation. It entails seizing the initiative, maintaining a vigilant stance against looming threats, and fundamentally revolutionizing the way cybersecurity is approached.

TL;DR: We've curated a comprehensive open-source GraphQL wordlist tailored specifically for penetration testing, drawing insights from over 60,000 operational GraphQL endpoints. This invaluable resource is accessible via our GitHub repository, offering a valuable asset for security practitioners and enthusiasts alike.

Wordlists: Pillars of GraphQL Security

At the heart of this proactive defensive approach lies the concept of wordlists. These repositories hold a treasure trove of commonly-used strings, encompassing usernames, passwords, URLs, and beyond. Wordlists serve as essential tools for diverse offensive security strategies such as password cracking and brute force attacks. In the pursuit of identifying vulnerabilities, a meticulously crafted wordlist often proves the distinction between exposing a weak point and fortifying it against potential threats.

Revolutionizing Brute Force Techniques: Queries, Mutations & Arguments

Though conventional wordlists, such as lists of common English words, can serve brute-force efforts in GraphQL, they offer suboptimal performance. To transcend these limitations, an ingenious solution emerges — smart brute force. Rather than resorting to random word guesses for queries, mutations, and arguments, we embrace a more sophisticated approach. By extracting GraphQL schemas via the introspection query and subsequently analyzing them to unveil recurring patterns, a specialized wordlist is formulated. This strategic resource markedly enhances the precision and speed of brute-force attacks, primarily on operation or argument names. With a reduced list size and a higher likelihood of word-field alignment, efficiency soars.

Unveiling the Imperative: Why Brute Force Operations and Arguments?

At this juncture, a legitimate question arises: Why undertake brute-force efforts on operations (queries or mutations) or argument names? Generally, brute-force attacks target argument content (e.g., a password submitted to the API) rather than field names. However, there are scenarios where the schema of a GraphQL API remains inaccessible due to closed introspection. Under such circumstances, the initial step of any assault entails gaining access to the schema. The curated wordlist becomes instrumental in the process of schema reconstruction through brute-force methods. Coupled with field recommendations, this approach often leads to the complete recovery of most schemas.

Elevating Our Arsenal: Introducing Goctopus & Clairvoyance

The Escape team has diligently engineered and contributed two potent tools to fortify this mission: Goctopus and Clairvoyance.

- Goctopus: An open-source reconnaissance tool empowering the discovery and fingerprinting of GraphQL APIs across digital landscapes.

- Clairvoyance: Conceived by Escape, this tool harnesses field suggestions and brute-force techniques to reconstruct GraphQL schemas.

Both tools stand as the epitome of cutting-edge resources for GraphQL offensive security, with the wordlist substantiating their efficacy.

Crafting the Wordlist: A Saga of Discovery, Aggregation, and Parsing

Uncovering GraphQL APIs with Goctopus

To amass an expansive wordlist, a repository of diverse schemas is imperative. This odyssey commenced in the vast expanses of the internet, supported by the dependable open-source tool, Goctopus. Orchestrated across multiple machines through Kubernetes, this endeavor led us to unearth a cache exceeding 60,000 GraphQL APIs, distinguished by accessible introspections (open schemas). Thus began the foundation of our voyage.

Compiling Introspection Data

Having secured a compilation of endpoints, the subsequent task encompassed retrieving introspections from each. This step was executed with a dash of bash magic, efficiently crafting an array of introspection response files.

INTROSPECTION_QUERY="query IntrospectionQuery{__schema{queryType{name}mutationType{name}subscriptionType{name}types{...FullType}directives{name description locations args{...InputValue}}}}fragment FullType on __Type{kind name description fields(includeDeprecated:true){name description args{...InputValue}type{...TypeRef}isDeprecated deprecationReason}inputFields{...InputValue}interfaces{...TypeRef}enumValues(includeDeprecated:true){name description isDeprecated deprecationReason}possibleTypes{...TypeRef}}fragment InputValue on __InputValue{name description type{...TypeRef}defaultValue}fragment TypeRef on __Type{kind name ofType{kind name ofType{kind name ofType{kind name ofType{kind name ofType{kind name ofType{kind name ofType{kind name}}}}}}}}"

MAX_JOBS=40

total=$(jq length urls.json)

mkdir introspections

current=1

for url in $(cat urls.json | jq -r '.[].url'); do

while [ "$(jobs | wc -l)" -gt "$MAX_JOBS" ]; do sleep 1; done

echo "($current/$total) Fetching introspection for $url"

filename=$(echo $url | sed 's/https:\/\///g' | sed 's/\//_/g')

test -f introspections/$filename.json && echo "introspection for $url already exists" && continue

curl -s -X POST -H "Content-Type: application/json" --data "{\"query\": \"$INTROSPECTION_QUERY\"}" $url | jq . > introspections/$filename.json &

echo "saving to introspections/$filename.json"

current=$((current+1))

done

echo "Deleting empty introspections"

find introspections -type f -empty -delete

echo "Got $(find introspections -type f | wc -l) introspections from $total urls"

Parsing the Bounty: Transforming Introspection into Comprehensive Data

The final phase of this endeavor entailed parsing these files to extract targeted statistics. Rather than a mere enumeration of term frequencies, our focus was on categorizing terms for comprehensive data gathering.

Sharing the Treasure: A Wordlist for the Collective Good

At Escape, we ardently champion the significance of open source. Recognizing the strength borne of collective effort and knowledge sharing, we extend our created wordlist, culled from over 60,000 GraphQL schemas, to the community at large. Accessible through our GitHub repository, this resource serves as a testament to our commitment to collaborative growth.

Accompanying the wordlist are statistics spotlighting the most frequently utilized terms within each category. These insights unveil patterns and trends within GraphQL API design.

For instance, consider the Top 20 most employed terms for query field names. A glance reveals the prominence of "user" and "users" as the most prevalent query names. While some predictions hold true, the inclusion of "portfolio" within the Top 20 might surprise.

A Dual Purpose: Resource for Researchers and Developers

This repository is tailored to cater to both security researchers seeking to identify vulnerabilities and developers striving to enhance the security of their GraphQL APIs. It offers a reservoir of insights and tools to augment cybersecurity measures.

Further Exploration: Escape’s Comprehensive App

For those seeking an automated solution encompassing GraphQL API discovery and testing, Escape's app stands as an exemplary choice. This application extends beyond tool functionality, offering risk assessments with a business-centric approach to AppSec teams. Additionally, it collaboratively empowers developers in the realm of remediation, effectively embedding security considerations from the outset.

In the quest for fortified cybersecurity, we invite you to engage with our wordlist and explore the broader spectrum of resources, tools, and insights offered by Escape. Together, we forge a more secure digital landscape.