/awesome-graphql-security

A curated list of awesome GraphQL Security frameworks, libraries, software and resources

Creative Commons Zero v1.0 UniversalCC0-1.0

Awesome GraphQL Security awesome

A curated list of awesome GraphQL Security frameworks, libraries, software and resources


Defensive Security

Authentication & Authorization

  • GraphQL Shield - GraphQL Shield helps you create a permission layer for your application.

Continous Security Testing

  • Escape - GraphQL Security - Continuous GraphQL Security Testing for Developers. Find and fix GraphQL security flaws in the CI/CD.

Security Solutions

Offensive Security

Discovery

  • GraphDNA - Fast GraphQL engine fingerprinting tool using multi heuristics
  • Graphinder - Blazing fast GraphQL endpoints finder using subdomain enumeration, scripts analysis and bruteforce.
  • GraphMan - Generate a complete Postman collection from a GraphQL endpoint. Allows instant and easy discovery and exploration of the API.
  • Graphw00f - GraphQL Server Engine Fingerprinting utility
  • Clairvoyance - Patrial introspection fetcher when introspection is disabled
  • GraphQL Path Enum – Tool that lists the different ways of reaching a given type in a GraphQL schema.

Exploitation

  • GraphCrawler - A GraphQL automated security toolkit. Grab introspection, search for sensitive queries, and then test authorization.
  • CrackQL - GraphQL password brute-force and fuzzing utility.
  • GraphQLMap - A scripting engine to interact with a GraphQL endpoint for pentesting purposes.
  • GraphQL.Security - One-click quick security scan of your GraphQL endpoints. Free, no login required.
  • GraphQL Threat Matrix - GraphQL threat framework to research security gaps in GraphQL implementations.
  • InQL - A Burp Extension for GraphQL Security Testing.

Vulnerable Applications

  • Damm Vulnerable GraphQL Application - Damn Vulnerable GraphQL Application is an intentionally vulnerable implementation of Facebook's GraphQL technology, to learn and practice GraphQL Security.

Visualizer

Resources

Blogs

Vulnerabilities

Contributing

Your contributions are always welcome! Please take a look at the contribution guidelines first.

We will keep some pull requests open if we are not sure whether those libraries are awesome, you could vote for them by adding 👍 to them.


If you have any question about this opinionated list, do not hesitate to contact us @escapetechHQ on Twitter or open an issue on GitHub.