mirror of
https://github.com/lunchcat/sif.git
synced 2026-07-05 12:17:03 -07:00
9340a8be0e
add a yaml module that posts a minimal introspection query to common
graphql paths and flags endpoints whose schema is exposed. the matcher
keys on the json result shape ("__schema":{ and "queryType":{) instead of
the bare __schema/queryType substrings, so a disabled endpoint that echoes
the query in its error does not false-positive. scoped to post+json
requests; get-only and persisted-query endpoints are out of scope.
45 lines
927 B
YAML
45 lines
927 B
YAML
# GraphQL Introspection Detection Module
|
|
|
|
id: graphql-introspection
|
|
info:
|
|
name: GraphQL Introspection Enabled
|
|
author: sif
|
|
severity: low
|
|
description: Detects GraphQL endpoints with introspection enabled
|
|
tags: [graphql, introspection, exposure, info]
|
|
|
|
type: http
|
|
|
|
http:
|
|
method: POST
|
|
paths:
|
|
- "{{BaseURL}}"
|
|
- "{{BaseURL}}/graphql"
|
|
- "{{BaseURL}}/api/graphql"
|
|
- "{{BaseURL}}/graphql/v1"
|
|
- "{{BaseURL}}/v1/graphql"
|
|
- "{{BaseURL}}/query"
|
|
- "{{BaseURL}}/gql"
|
|
|
|
headers:
|
|
Content-Type: application/json
|
|
Accept: application/json
|
|
|
|
body: '{"query":"{__schema{queryType{name}}}"}'
|
|
|
|
matchers:
|
|
- type: regex
|
|
part: body
|
|
regex:
|
|
- '"__schema"\s*:\s*\{'
|
|
- '"queryType"\s*:\s*\{'
|
|
condition: and
|
|
|
|
extractors:
|
|
- type: regex
|
|
name: query_type
|
|
part: body
|
|
regex:
|
|
- '"queryType"\s*:\s*\{\s*"name"\s*:\s*"([^"]+)"'
|
|
group: 1
|