Skip to content

aitkhouya/gqlstrike

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

1 Commit
docs
docs
 
 
gqlstrike
gqlstrike
 
 
.gitignore
.gitignore
 
 
LICENSE
LICENSE
 
 
README.md
README.md
 
 
pyproject.toml
pyproject.toml
 
 
requirements.txt
requirements.txt
 
 

Repository files navigation

GQLStrike

GraphQL security auditing tool with heuristic analysis and optional Ollama-powered reporting.

Demo

Placeholder: add a screen recording to docs/demo.gif (e.g. gqlstrike scan --url … --no-ai).

Disclaimer

Authorized testing only. Use GQLStrike only on systems you own or have explicit written permission to assess. Unauthorized scanning may violate law and policy.

Features

  • Introspection with full schema dump; suggestion-based enumeration when introspection is disabled (Did you mean … errors).
  • Fuzzing: IDOR/BOLA-style ID substitution, mass-assignment probes, auth-header bypass attempts, JSON batching detection, variable injection probes.
  • Analysis: response size/structure comparison, verbose GraphQL error detection, heuristic CVSS-like scores and confidence levels.
  • AI reports: qwen2.5-coder:7b via local Ollama with template fallback if the API is down.
  • CLI: Click + Rich (progress, colored severity table), --proxy for Burp, --delay for rate limiting, optional robots.txt respect.

Requirements

  • Python 3.10+
  • Optional: Ollama at http://localhost:11434 with qwen2.5-coder:7b pulled (ollama pull qwen2.5-coder:7b)

Installation

cd GQLStrike
python -m venv .venv
.venv\Scripts\activate
pip install -r requirements.txt
pip install -e .

Usage

# Basic scan (uses Ollama if available)
gqlstrike scan --url https://target.com/graphql

# Custom headers (repeat --headers for multiple)
gqlstrike scan --url https://target.com/graphql --headers "Authorization: Bearer TOKEN"

# Custom IDOR wordlist (JSON with a "values" array, see gqlstrike/payloads/idor.json)
gqlstrike scan --url https://target.com/graphql --wordlist custom_payloads.json --output report.md

# Burp Suite upstream proxy
gqlstrike scan --url https://target.com/graphql --proxy http://127.0.0.1:8080

# Rate limiting between requests
gqlstrike scan --url https://target.com/graphql --delay 0.5

# Respect robots.txt (aborts if disallowed for the GraphQL path)
gqlstrike scan --url https://target.com/graphql --respect-robots

# Template-only report (no LLM)
gqlstrike scan --url https://target.com/graphql --no-ai --json-out findings.json

Module invocation

python -m gqlstrike scan --url https://example.com/graphql --no-ai

Project layout

gqlstrike/
├── core/
│   ├── introspection.py
│   ├── fuzzer.py
│   ├── analyzer.py
│   └── ai_reporter.py
├── payloads/
│   ├── idor.json
│   ├── injection.json
│   └── auth_bypass.json
├── output/
│   └── reporter.py
├── cli.py
└── ...

License

MIT — see LICENSE.

About

GraphQL security auditing tool with AI-powered vulnerability analysis

Topics

graphql-security-pentest-python-cli-api-security

Resources

Readme

License

MIT license
Activity

Stars

0 stars

Watchers

0 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

 
 
 

Contributors

Languages