CrackQL is a GraphQL password brute-force and fuzzing utility.
CrackQL is a flexible GraphQL penetration testing device that exploits poor rate-limit and price evaluation controls to brute-force credentials and fuzz operations.
The way it works?
CrackQL works by robotically batching a single GraphQL question or mutation into a number of alias operations. It determines the variety of aliases to make use of primarily based on the CSV enter variables. After programmatically producing the batched GraphQL doc, CrackQL then batches and sends the payload(s) to the goal GraphQL API and parses the outcomes and errors.
Assault Use Instances
CrackQL can be utilized for a variety of GraphQL assaults because it programmatically generates payloads primarily based on an inventory of dynamic inputs.
Protection Evasion
Not like Burp Intruder which sends a request for every distinctive payload, CrackQL evades conventional API HTTP rate-limit monitoring defenses through the use of a number of alias queries to stuff massive units of credentials into single HTTP requests. To bypass question value evaluation defenses, CrackQL will be optimized into utilizing a collection of smaller batched operations (-b
) in addition to a time delay (-D
).
Password Spraying Brute-forcing
CrackQL is ideal in opposition to GraphQL deployments that leverage in-band GraphQL authentication operations (such because the GraphQL Authentication Module). The under password spraying instance works in opposition to DVGA with the sample-inputs/users-and-passwords.csv
dictionary.
sample-queries/login.graphql
mutation {
login(username: {str}, password: {str}) {
accessToken
}
}
Two-factor Authentication OTP Bypass
It’s doable to make use of CrackQL to bypass two-factor authentication by sending all OTP (One Time Password) tokens
sample-queries/otp-bypass.graphql
mutation {
twoFactor(otp: {int}) {
accessToken
}
}
Person Account Enumeration
CrackQL may also be used for enumeration assaults to find legitimate person ids, usernames and electronic mail addresses
sample-queries/enumeration.graphql
question {
signup(electronic mail: {str}, password: {str}) {
person {
electronic mail
}
}
}
Insecure Direct Object Reference
CrackQL may very well be used to iterate over a lot of potential distinctive identifiers with a view to leak object info
sample-queries/idor.graphql
question {
profile(uuid: {int}) {
title
electronic mail
image
}
}
Normal Fuzzing
CrackQL can be utilized for common enter fuzzing operations, reminiscent of sending potential SQLi and XSS payloads.
Inputs
CrackQL will generate payloads primarily based on enter variables outlined by a CSV file. CrackQL requires the CSV header to match the enter title.
sample-inputs/usernames_and_passwords.csv
username, password
admin, admin
admin, password
admin, cross
admin, pass123
admin, password123
operator, operator
operator, password
operator, cross
operator, pass123
operator, password123
Legitimate enter varieties
Set up
Necessities
- Python3
- Requests
- GraphQL
- Jinja
Clone Repository
git clone [email protected]:nicholasaleks/CrackQL.git
Get Dependencies
pip set up -r necessities.txt
Run CrackQL
python3 CrackQL.py -h
Use config.py
to set HTTP cookies and headers if the endpoint requires authentication.
Maintainers
Mentions