Skip to content
Related Articles

Related Articles

Improve Article
Save Article
Like Article

Graphw00F – GraphQL fingerprinting tool for GQL endpoints

  • Last Updated : 04 Jan, 2022

Graphw00F is a free and open-source tool available on GitHub. Graphw00F is a tool that is used for finding fingerprints of the GraphQL server engines. Graphw00F can find the technology running behind the GraphQL endpoint.  Graphw00F is written in python language. You must have python language installed in your kali Linux operating system in order to use this tool. Graphw00F is a tool that is developed by taking inspiration from a famous tool called wafw00f. Graphw00F consists of 9 GraphQL engines. Graphw00F tool sends benign and malformed queries to determine the GraphQL engine which is running behind the domain network. Graphw00F will provide the necessary information about the security defenses which are running behind the scene of the domain. This type of reconnaissance is useful in the early stage of Pentesting. All 9 GraphQL engines work as modules for the Graphw00F. Graphw00F can perform and identify whether any firewall or security mechanism is activated on a network or not. On each query Graphw00F response individually. Graphw00F can filter out all the GQL endpoints and fingerprints. Security researchers also use this tool to perform reconnaissance across a network in organizations. Graphw00f is one of the best tools for auditing GQL endpoints. Installation and step-by-step tutorial of the tool are given below.

Installation

Step 1: Use the following command to install the tool from Github.

git clone https://github.com/dolevf/graphw00f.git

Step 2: Now use the following command to move into the directory of the tool.

cd graphw00f
ls

Step 3: The tool has been installed and running successfully. Now use the following command to run the tool.

python3 main.py-h 

The tool is running successfully. Now we will see examples to use the tool.

Usage

Example 1: Use the graphw00f tool to check if GraphQL is available at domain or not.

 python3 main.py -f -d -t <domain>

Here the tool is checking GraphQL point behind the domain.

Example 2: Use the graphw00f tool to check if GraphQL is available at domain or not.

python3 main.py -f -d -t <domain>

Here the tool is checking GraphQL point behind the domain. Similarly, you can refer to the above example to find the GraphQL endpoint of the domain. These GraphQL endpoints are useful in the early stages of Pentesting.

My Personal Notes arrow_drop_up
Recommended Articles
Page :

Start Your Coding Journey Now!