dolevf / graphw00f

graphw00f is GraphQL Server Engine Fingerprinting utility for software security professionals looking to learn more about what technology is behind a given GraphQL endpoint.

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

Fingerprinting crashes - possibly due to large Auth. Header?

Sorren1969 opened this issue · comments

Hello @dolevf,

I have been trying to fingerprint a graphql endpoint (sandboxed) for as part of a bug bounty program, but it keeps crashing:

~/graphw00f$ python main.py -f -t https://app.sandbox.xxxxxxxx.com/graphql

            +-------------------+
            |     graphw00f     |
            +-------------------+
              ***            ***
            **                  **
          **                      **
+--------------+              +--------------+
|    Node X    |              |    Node Y    |
+--------------+              +--------------+
              ***            ***
                 **        **
                   **    **
                +------------+
                |   Node Z   |
                +------------+

            graphw00f - v1.1.3
      The fingerprinting tool for GraphQL
       Dolev Farhi <dolev@lethalbit.com>

[] Checking if GraphQL is available at https://app.sandbox.xxxxxxxx.com/graphql...
[!] Found GraphQL.
[
] Attempting to fingerprint...
Traceback (most recent call last):
File "/home/andrew/graphw00f/main.py", line 153, in
main()
File "/home/andrew/graphw00f/main.py", line 129, in main
result = g.execute(url)
File "/home/andrew/graphw00f/graphw00f/lib.py", line 52, in execute
elif self.engine_graphene():
File "/home/andrew/graphw00f/graphw00f/lib.py", line 147, in engine_graphene
if error_contains(response, 'Syntax Error GraphQL (1:1)'):
File "/home/andrew/graphw00f/graphw00f/helpers.py", line 32, in error_contains
err_message = i.get(part, '')
AttributeError: 'str' object has no attribute 'get'

To get anything sensible out of this endpoint, large authorization tokens are required (token is length 992 chars) and I wondered if this might be the root cause (but I maybe wrong). I have been using the long API keys successfully with Altair and configured one of these in conf.py. graphw00f runs fine against a localhost graphql installation.

Cheers.

Is there an endpoint you can share that I can test graphw00f with? otherwise it will be challenging to replicate it

Also, since you mentioned authorization - have you tried adding the necessary headers and cookies to conf.py ?

Thanks for getting back to me.

Yes. The header has been placed in conf.py. The only unusual thing about it is the size (992 characters). I have a local app that has a GraphQL interface requiring a (smaller) JWT cookie. I will attempt to get that working with a fresh conf.py to be sure I am not doing something silly and get back to you in a few hours either way.

If it still seems to be a Graphw00f problem, I think it shouldn't be too difficult to get you access.

Sorry if I am being a bit reticent - I'm still in "slightly competitive Bug Bounty mode" as I have come across a program with a GraphQL interface that allows introspection (albeit with the large API key) for which a very low number of issues have so far been found, so I want to give it my best shot before drawing too much public attention to it ;-)

Cheers.

I don't necessarily think its the header's length size, based on your observations and error output it seems to me that graphw00f is receiving a non-standard GraphQL response from the target application.

If you modify the following file and place a print(response, word_to_match) between lines 28 and 29, it may help me debug this.

https://github.com/dolevf/graphw00f/blob/main/graphw00f/helpers.py#L28-L29

Otherwise if you have a target application I can test, you can also send it to me privately over twitter or email.

Hey there @Sorren1969,

I will keep this ticket open until EOD and close it if no action is required on my end. Thanks.