GraphQL Security Scanner

Advanced GraphQL vulnerability scanner with async support.

Created by Regaan | December 2025

---

Features

• Async HTTP requests (10x faster)
• 100+ attack payloads (SQL injection, NoSQL, XSS, command injection)
• Introspection testing
• Batch query attacks
• Mutation testing
• Field fuzzing (enumerate IDs and hidden data)
• Burp Suite integration (proxy support)
• Interactive CLI mode
• HTML report generation
• Error analysis (detect backend technologies)

---

Installation

git clone https://github.com/noobforanonymous/graphql-scanner.git
cd graphql-scanner
pip install -r requirements.txt

---

Quick Start

Basic Scan

python graphql_scanner.py https://api.example.com/graphql

With Burp Suite Proxy

python graphql_scanner.py https://api.example.com/graphql --proxy http://127.0.0.1:8080

Interactive Mode

python graphql_scanner.py --interactive https://api.example.com/graphql

---

Usage Examples

Example 1: Scan Public API

python graphql_scanner.py https://countries.trevorblades.com/

Output:

[*] Starting comprehensive GraphQL scan
[!] Introspection is ENABLED - Schema can be leaked!
[!] Batch attack successful! 50 queries in 0.49s
[+] Scan complete in 1.56s
[*] Found 2 vulnerabilities
[+] HTML report saved to: graphql_report.html

Example 2: Field Fuzzing

import asyncio
from graphql_scanner import GraphQLScanner

async def fuzz():
    scanner = GraphQLScanner("https://api.example.com/graphql")
    async with aiohttp.ClientSession() as session:
        found_ids = await scanner.fuzz_numeric_field(session, "user", 0, 100)
        print(f"Found valid IDs: {found_ids}")

asyncio.run(fuzz())

Example 3: With Proxy

scanner = GraphQLScanner(
    "https://api.example.com/graphql",
    proxy="http://127.0.0.1:8080"  # Burp Suite
)

---

Vulnerability Detection

• SQL Injection in GraphQL queries
• NoSQL Injection
• XSS in GraphQL fields
• Command Injection
• Path Traversal
• LDAP Injection
• Introspection enabled
• Batch query DoS
• Nested query DoS
• Mutation injection

---

Advanced Features

Interactive Mode

GraphQL> query { users { id name } }
GraphQL> fuzz user 0 100
GraphQL> proxy http://127.0.0.1:8080
GraphQL> save
GraphQL> exit

Configuration Management

# Save configuration
scanner.save_config("my_config.json")

# Load configuration
scanner = GraphQLScanner.load_config("my_config.json")

Burp Request Parser

# Parse saved Burp request
parsed = scanner.parse_burp_request("burp_request.txt")

---

Requirements

• Python 3.8+
• aiohttp
• requests

---

Contributing

Contributions welcome. Please fork the repository and submit pull requests.

---

License

GPL v2

---

Author

Regaan

• GitHub: @noobforanonymous
• Created: December 2025

---

Credits

Inspired by GraphQLmap and SQLMap projects.

---

Legal Disclaimer

IMPORTANT - READ BEFORE USE

This tool is designed for authorized security testing only.

• DO USE on systems you own
• DO USE with written permission
• DO USE for authorized penetration testing
• DO USE for bug bounty programs (within scope)
• DO NOT USE on systems without permission
• DO NOT USE for illegal activities
• DO NOT USE to cause harm or damage

All security-related tools, experiments, and research are meant strictly for authorized environments.

I do not support or condone illegal use of security tooling.

Unauthorized access to computer systems is illegal under:

• Computer Fraud and Abuse Act (CFAA) in the United States
• Computer Misuse Act in the United Kingdom
• Similar laws in other countries

By using this tool, you agree to use it responsibly and legally.

The author (Regaan) is not responsible for any misuse or damage caused by this tool.