The JSON output when using the -o json option is invalid.

A snippet from the very start of the output:

{'result': False, ...

This should look like this:

{"result": false, ...

I'll create a PR 😃

Hi,

I would like to know if graphql-cop can be imported as a package

Aswathy

While attempting to run the script, I received the following error: ModuleNotFoundError: No module named 'lib.tests'. After reviewing the lib and tests directory I noticed you're missing a init.py file in both directories. After adding the init.py file, the script runs as expected. I assuming this is broken for a reason?

I tried to run python graphql-cop.py , but it throws error like this

Traceback (most recent call last):
File "graphql-cop.py", line 9, in
from lib.tests.info_field_suggestions import field_suggestions
ModuleNotFoundError: No module named 'lib.tests'

@dolevf ,
In continuation with the issue earlier discussed : #27

We are planning to use the library in our org. But it requires licensing details and also needs to be available as a package as downloading public git repo's are not allowed. So any plan to package and publish it as it would be helpful

Aswathy

It would be very helpful if you could add tags. This would make it easier to keep track and include graphql-cop into distributions.

Thanks

Currently there is no license statement. Could you please add a LICENSE file that contains the license text. Shipping the LICENSE file is a requirement for some distributions (e.g., Fedora).

Thanks.

I tried several times both on local and real URLs but did not succeed. The error is like the following.

Ps: the project is on and lives in port 1003.

x@Mac graphql-cop % python3 graphql-cop.py -t http://192.168.1.2:1003/graphql
Traceback (most recent call last):
  File "/path/to/folder/graphql-cop/graphql-cop.py", line 64, in <module>
    if field_suggestions(url, proxy, HEADERS):
TypeError: field_suggestions() takes 1 positional argument but 3 were given

Hi Dolev,

I've just found this new tool of yours and it looks pretty cool!
I've tested it on an assessment I had at work and I've found minor things that could be improved - of course it works perfectly on dvga!
I'll see if I can submit some little PRs if I find the time

Quick question: looking at info_trace_mode.py, I am not able to understand what it looks for in order to decide if trace mode is enable.
Would you mind to explain?
I tried to alter the related query to:
{"query": "query { __typenaaame }"}

and I get on dvga:
HTTP/1.1 400 BAD REQUEST
Content-Type: application/json
Content-Length: 117
Date: Fri, 19 Aug 2022 18:53:39 GMT

{"errors":[{"message":"Cannot query field "__typenaaame" on type "Query".","locations":[{"line":1,"column":9}]}]}

But it's still not flagged as an issue.
I am not sure how these lines work, to be honest:
try:
if gql_response.json().get('errors', {}).get('extensions', {}).get('tracing'):
res['result'] = True
elif gql_response.json().get('errors', {}).get('extensions', {}).get('exception', None):
res['result'] = True
elif 'stacktrace' in str(gql_response.json()).lower():
res['result'] = True
except:
pass

Thank you for another awesome tool and for dvga v2!

Every time I run the command python3 graphql-cop -t {target IP} i get this output. I am not sure what to do please advise.

Traceback (most recent call last):
File "/home/hapihacker/tools/graphql-cop/graphql-cop.py", line 101, in
json_output.append(test(path, proxy, HEADERS, options.debug_mode))
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/home/hapihacker/tools/graphql-cop/lib/tests/dos_field_duplication.py", line 22, in field_duplication
res['curl_verify'] = curlify(gql_response)
^^^^^^^^^^^^^^^^^^^^^
File "/home/hapihacker/tools/graphql-cop/lib/utils.py", line 9, in curlify
req = obj.request
^^^^^^^^^^^
AttributeError: 'dict' object has no attribute 'request'

Hi Doleh,

do you think graphql-cop should use the Accept: application/json header by default instead of */* ?
As I mentioned previously, the environment where I tested would immediately error out if the Accept header was not application/json.

Additionally, have you noticed that running it against DVGA does not return the GraphiQL IDE finding unless Accept is set to text/html ?
We can override the header with -H, but I was thinking of setting it by default in the info_graphiql.py check.
Two lines of codes for a PR: one before the check to set it and one before the end to remove it, if you want :)

Fix is_graphql function to better handle anomalies in responses

The following code at line 87:

for path in paths:
    if not is_graphql(path, proxy, HEADERS):
        print(path, 'does not seem to be running GraphQL.')
        continue
    for test in tests:
        json_output.append(test(path, proxy, HEADERS))

Is not finding graphql endpoints that are clearly present.

If I comment out the if not is_graphql statement and run the tests, the tests are successful.