Attercop is an experimental Elixir-based GraphQL penetration testing and attack surface discovery tool that scans and identifies public GraphQL endpoints.
Inspiration for architecture and use was drawn from other tools such as Nmap and Metasploit.
- Introspect a GraphQL API and display field information to the end user
- Search through introspection data to identify arguments that can potentially be used in an attack
- Generate modules allowing for automatic IDOR detection (WIP)
- Execution of suites of modules, with analysis of the results and a confidence score (WIP)
- Authentication layer
- Module generator
- Interface existing analysis module with module configs
- Installable executable through package manager
- Clone this repository
- run
mix escript.build
Once the script is built as a local binary, you can run it by calling it directly:
$ ./attercop introspect https://api.spacex.land/graphql/
...
# ./attercop recon https://api.spacex.land/graphql/ 'id'
...
usage: attercop [--verbose] [--no-truncate] <command> [<args>]
Commands
recon Lists potential pivot arguments
introspect Fetch and display the GraphQL schema
Attercop was developed as a tool by the Podium Security Team.