Fingerprinting crashes - possibly due to large Auth. Header?
Sorren1969 opened this issue · comments
Hello @dolevf,
I have been trying to fingerprint a graphql endpoint (sandboxed) for as part of a bug bounty program, but it keeps crashing:
~/graphw00f$ python main.py -f -t https://app.sandbox.xxxxxxxx.com/graphql
+-------------------+
| graphw00f |
+-------------------+
*** ***
** **
** **
+--------------+ +--------------+
| Node X | | Node Y |
+--------------+ +--------------+
*** ***
** **
** **
+------------+
| Node Z |
+------------+
graphw00f - v1.1.3
The fingerprinting tool for GraphQL
Dolev Farhi <dolev@lethalbit.com>
[] Checking if GraphQL is available at https://app.sandbox.xxxxxxxx.com/graphql...
[!] Found GraphQL.
[] Attempting to fingerprint...
Traceback (most recent call last):
File "/home/andrew/graphw00f/main.py", line 153, in
main()
File "/home/andrew/graphw00f/main.py", line 129, in main
result = g.execute(url)
File "/home/andrew/graphw00f/graphw00f/lib.py", line 52, in execute
elif self.engine_graphene():
File "/home/andrew/graphw00f/graphw00f/lib.py", line 147, in engine_graphene
if error_contains(response, 'Syntax Error GraphQL (1:1)'):
File "/home/andrew/graphw00f/graphw00f/helpers.py", line 32, in error_contains
err_message = i.get(part, '')
AttributeError: 'str' object has no attribute 'get'
To get anything sensible out of this endpoint, large authorization tokens are required (token is length 992 chars) and I wondered if this might be the root cause (but I maybe wrong). I have been using the long API keys successfully with Altair and configured one of these in conf.py. graphw00f runs fine against a localhost graphql installation.
Cheers.
Is there an endpoint you can share that I can test graphw00f with? otherwise it will be challenging to replicate it
Also, since you mentioned authorization - have you tried adding the necessary headers and cookies to conf.py ?
Thanks for getting back to me.
Yes. The header has been placed in conf.py. The only unusual thing about it is the size (992 characters). I have a local app that has a GraphQL interface requiring a (smaller) JWT cookie. I will attempt to get that working with a fresh conf.py to be sure I am not doing something silly and get back to you in a few hours either way.
If it still seems to be a Graphw00f problem, I think it shouldn't be too difficult to get you access.
Sorry if I am being a bit reticent - I'm still in "slightly competitive Bug Bounty mode" as I have come across a program with a GraphQL interface that allows introspection (albeit with the large API key) for which a very low number of issues have so far been found, so I want to give it my best shot before drawing too much public attention to it ;-)
Cheers.
I don't necessarily think its the header's length size, based on your observations and error output it seems to me that graphw00f is receiving a non-standard GraphQL response from the target application.
If you modify the following file and place a print(response, word_to_match) between lines 28 and 29, it may help me debug this.
https://github.com/dolevf/graphw00f/blob/main/graphw00f/helpers.py#L28-L29
Otherwise if you have a target application I can test, you can also send it to me privately over twitter or email.
Hey there @Sorren1969,
I will keep this ticket open until EOD and close it if no action is required on my end. Thanks.