NullAILab/graphql-security-tester

# GraphQL 安全测试器    自动化 GraphQL 端点安全扫描器。针对任何 GraphQL API 运行 7 项攻击检查——无需第三方库，仅使用标准库 HTTP。 ## 示例输出 ``` ══════════════════════════════════════════════════════════ GraphQL Security Tester — Scan Report ══════════════════════════════════════════════════════════ Endpoint : http://api.example.com/graphql Findings : 3 HIGH : 1 MEDIUM : 2 LOW : 0 [C04] 🔴 Batch Query Attack (Rate Limit Bypass) Severity : HIGH Description : The server executed 50 operations in a single batched request. Evidence : Batch of 50 queries: 50 succeeded Fix : Disable query batching. If needed, limit batch size to ≤5. [C01] 🟠 Introspection Enabled Severity : MEDIUM Description : The GraphQL endpoint responds to introspection queries, exposing the full API schema. Evidence : Schema exposes 34 types Fix : Disable introspection in production (introspection=False). [C03] 🟠 Unbounded Query Depth Severity : MEDIUM Evidence : Depth-15 query succeeded (no depth limit error) Fix : Add query depth limiting middleware. Recommended max depth: 10–15. ``` ## 检查项 | ID | 攻击 | 严重程度 | |-----|--------|----------| | C01 | 启用了 Introspection —— 完整 schema 对任何人公开 | MEDIUM | | C02 | 字段建议泄露 —— 错误消息中包含有效字段名 | LOW | | C03 | 无限制查询深度 —— 指数级数据库负载 | MEDIUM | | C04 | Batch query 攻击 —— 绕过单请求速率限制 | HIGH | | C05 | 授权绕过 —— 无需 auth token 即可访问字段 | HIGH | | C06 | 参数注入 —— SQL/NoSQL/路径遍历 | HIGH | | C07 | 别名放大 —— 单个请求触发 N 次解析器调用 | MEDIUM | ## 使用方法 ``` pip install -r requirements.txt # Scan 所有针对 endpoint 的检查 python -m src http://api.example.com/graphql # Authenticated scan python -m src http://api.example.com/graphql --auth "Bearer eyJ..." # JSON output python -m src http://api.example.com/graphql --format json # 保存 report python -m src http://api.example.com/graphql --output report.json --format json # 自定义 depth 和 batch size python -m src http://localhost:4000/graphql --depth 20 --batch-size 100 ``` 如果发现 HIGH 严重级别的问题，退出代码为 `1`。 ## 攻击示例 **Introspection —— 单次查询获取完整 schema：** ``` { __schema { types { name fields { name type { name } } } } } ``` **深度 DoS —— 指数级解析器负载：** ``` { user { friends { friends { friends { friends { friends { id } } } } } } } ``` **Batch 攻击 —— 单个 HTTP 请求包含 50 个操作：** ``` [ {"query": "{ user(id: 1) { email } }"}, {"query": "{ user(id: 2) { email } }"}, ... ] ``` **别名放大 —— 单次查询引发 100 次解析器调用：** ``` { a0: expensiveQuery { result } a1: expensiveQuery { result } a99: expensiveQuery { result } } ``` ## 项目结构 ``` src/ ├── checks.py ← 7 attack check functions + Finding dataclass ├── client.py ← Minimal HTTP GraphQL client (stdlib only, no deps) ├── scanner.py ← Orchestrator — runs all checks, returns ScanReport ├── report.py ← Console (ANSI color) + JSON renderer └── __main__.py ← CLI entry point tests/ └── test_graphql_tester.py ← 50 tests ``` ## 测试 ``` pytest tests/ -v ``` ## 参考文献 - [OWASP GraphQL 安全备忘单](https://cheatsheetseries.owasp.org/cheatsheets/GraphQL_Cheat_Sheet.html) - [InQL —— GraphQL 安全扫描器](https://github.com/doyensec/inql) - [HackTricks —— GraphQL](https://book.hacktricks.xyz/network-services-pentesting/pentesting-web/graphql) - [GraphQL 安全 —— Escape.tech](https://escape.tech/blog/graphql-security/) ## 许可证 MIT

标签：API安全测试, API网关安全, CISA项目, DoS, GraphQL, Python, SDLF屏蔽, Web安全, 内省查询, 批处理攻击, 拒绝服务攻击, 无后门, 查询深度限制, 注入攻击, 网络安全, 自动化扫描器, 蓝队分析, 身份验证绕过, 逆向工具, 隐私保护, 黑盒测试