Skip to content

oslabs-beta/qevlar

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

103 Commits

__tests__

__tests__

 
 

assets

assets

 
 

scripts

scripts

 
 

src

src

 
 

.DS_Store

.DS_Store

 
 

.gitignore

.gitignore

 
 

README.md

README.md

 
 

color.js

color.js

 
 

package-lock.json

package-lock.json

 
 

package.json

package.json

 
 

qevlar

qevlar

 
 

qevlarConfig.json

qevlarConfig.json

 
 

Repository files navigation

Qevlar logo

Welcome to Qevlar

Version Maintenance

qevlar.dev

Qevlar is a dependency-free security testing library for GraphQL APIs that runs directly from your CLI. It assesses vulnerabilities to a multitude of DoS attacks, malicious SQL/NoSQL injections, and more.

Test Overview

Select test from test menu:

Easily choose which tests to run, right from your CLI, featuring built-in type checking.

Test Menu

Query depth limiting test example:

Tests each depth level up to QUERY_DEPTH_LIMIT.

Depth Limit Test Snippet

SQL injection test example:

Tests vulnerability to 100s of malicous SQL injection payloads.

SQL Test Snippet

Rate limiting test example:

Tests from INITIAL_RATE up to QUERY_RATE_LIMIT at each INCREMENT.

Rate Limit Test Snippet

Installation

npm install qevlar

Setup

  1. Run start command:
npm run qevlar
  1. To manually customize config, edit the relevant fields in qevlarConfig.json located in node_modules/qevlar. It's initialized as:
{
  "ANY_TOP_LEVEL_FIELD_ID": "",
  "API_URL": "",
  "BATCH_SIZE": 10,
  "CIRCULAR_REF_FIELD": "",
  "INCREMENT": 10,
  "INITIAL_RATE": 10,
  "NO_SQL": false,
  "QUERY_DEPTH_LIMIT": 5,
  "QUERY_RATE_LIMIT": 100,
  "SQL": false,
  "SQL_COLUMN_NAME": "",
  "SQL_TABLE_NAME": "",
  "SUB_FIELD": "id",
  "TIME_WINDOW": 1000,
  "TOP_LEVEL_FIELD": ""
}
  1. To generate qevlarConfig.json automatically, select 0 in your CLI and submit your API's URL when prompted. This will introspect your Graph QL API, aquiring field names, then automatically update qevlarConfig.json.
  2. After, select the test you want to run. Results will be displayed in your CLI!

Contributing

Contributions, issues and feature requests are welcome!

Branch management

Please submit any pull requests to the dev branch. All changes will be reviewed before merging by OSLabs and prior contributors.

Bugs and suggestions

For help with existing issues, please read our GitHub issues page. If you cannot find support in the issues page, please file a report on the same issues page.

Suggestions and other feedback are more than welcome.

Future Direction

  • Perform query cost analysis, allowing addition of cost limiting tests to the library
  • Package security solutions to these attacks in their own library
  • Introspection Tests
  • Jest/End-to-end testing
  • GUI standalone application to run tests from
  • Authentication/Authorization

Meet the team 🧑‍🚀

Joshua McDaniel GitHub | LinkedIn | Email
Conor Bell GitHub | LinkedIn | Email
Hyung Noh GitHub | LinkedIn | Email
Landon Osteen GitHub | LinkedIn | Email

We're just a couple devs who love open-source solutions.

GitHub stars are welcomed, but really we're happy just building things people want to use.

Check Qevlar out on LinkedIn here.

License

This project is ISC licensed.

About

GraphQL API security testing

Resources

Readme

Code of conduct

Code of conduct

Security policy

Security policy
Activity
Custom properties

Stars

60 stars

Watchers

2 watching

Forks

2 forks
Report repository

Releases

No releases published

Sponsor this project

Packages

No packages published

Contributors 4

  •  
  •  
  •  
  •  

Languages