View Issue Details

IDProjectCategoryView StatusLast Update
0007248Kali Linux[All Projects] Queued Tool Additionpublic2021-08-31 10:06
Reportertonyg73 Assigned To 
PrioritynormalSeverityminorReproducibilityN/A
Status acknowledgedResolutionopen 
Product Version2021.2 
Target VersionFixed in Version 
Summary0007248: PSGraphQL PowerShell module - allows for testing GraphQL endpoints
Description[Name] - PSGraphQL
 

[Version] - What version of the tool should be added?

        Version 1.1.5
 

[Homepage] - Where can the tool be found online? Where to go to get more information?

                 https://github.com/anthonyg-1/PSGraphQL
             https://www.powershellgallery.com/packages/PSGraphQL/1.1.5
                    

[Download] - Where to go to get the tool? either a download page or a link to the latest version

             Can be installed from the PowerShell Gallery by executing the following command from pwsh:

             Install-Module -Name PSGraphQL -Repository PSGallery -RequiredVersion 1.1.5
            
             Links:
             https://github.com/anthonyg-1/PSGraphQL
         https://www.powershellgallery.com/packages/PSGraphQL/1.1.5
 

[Author] - Who made the tool?
                   Anthony Guimelli
           https://www.linkedin.com/in/anthony-guimelli-cissp-867b0918a/

[Licence] - How is the software distributed? What conditions does it come with?

            The software is distributed via the PowerShell Gallery and/or direct download from the module's github repo. MIT license applies: https://github.com/anthonyg-1/PSGraphQL/blob/main/LICENSE

 

[Description] - What is the tool about? What does it do?

                PSGraphQL contains a single PowerShell function, Invoke-GraphQLQuery (aliased as ‘gql’) that allows a tester to perform queries and mutations (create, update, delete) operations against any GraphQL service. Based on that, a myriad of tests can be written using Invoke-GraphQLQuery to validate the security of a GraphQL endpoint including, but not limited to:

    1. Deep recursion attack
    2. Batch attacks
    3. Introspection/enumeration
    4. SQL injection
    5. Command Injection
    6. Authorization attacks

Given that PowerShell is an object-oriented shell, Invoke-GraphQLQuery returns objects by default. This affords the user easy parsing of results. If one wishes for serialized (JSON) results, the -Raw parameter changes the return type from object to string and the results can be piped to grep or whatever other string parsing utility.

[Dependencies] - What is needed for the tool to work?

PowerShell 5.1 or above. Since Kali Linux comes with PowerShell 7.1.3, this will suffice. This module was developed on PowerShell 7.1.0 on Ubuntu 18.04 and tested on Ubuntu 20.04, Kali Linux 2021.1, Windows 10 and MacOS.

[Similar tools] - What other tools are out there?

Burp has a GraphQL plugin and Python has a few GraphQL clients. This is the only PowerShell module in the PowerShell Gallery that functions as a generic GraphQL client. Also I've yet to find another object-oriented CLI GraphQL client like this one.

[Activity] - When did the project start? Is is still actively being deployed?

                   This project started on 3/2021 and is being actively deployed.
 

[How to install] - How do you compile it? Note, using source code to acquire (e.g. git clone/svn checkout) can’t be used - Also downloading from the head. Please use a “tag” or “release” version.

This is a PowerShell module written in 100% PowerShell. To that end, compilation is not necessary. To obtain and use the module type the following from PowerShell in Kali Linux:

Install-Module -Name PSGraphQL -Repository PSGallery -RequiredVersion 1.1.5

 

[How to use] - What are some basic commands/functions to demonstrate it?

Demonstration of Invoke-GraphQLQuery can be found in the "Examples" and "Damn Vulnerable GraphQL Application Solutions" sections in the Readme here: https://github.com/anthonyg-1/PSGraphQL

If needed I can copy them here but the formatting and clarity will be lost compared to what is shown in the above markdown.

[Packaged] - Is the tool already packaged for Debian?

This tool is packaged for any system running PowerShell 5.1 and above.
Steps To Reproducen/a
Additional InformationI would be glad to demonstrate the module and answer any questions if needed.

Activities

tonyg73

2021-08-24 15:28

reporter   ~0015025

Latest release version is 1.1.6. Fixes a JSON depth deserialization issue.

Can be found here: https://www.powershellgallery.com/packages/PSGraphQL/1.1.6

More info: https://github.com/anthonyg-1/PSGraphQL

g0tmi1k

2021-08-31 10:06

administrator   ~0015055

@kali-team, please could this be packaged up.
@author, If you want to help the packaging process, you can check the documentation here ~ https://www.kali.org/docs/development/public-packaging

Issue History

Date Modified Username Field Change
2021-06-30 20:05 tonyg73 New Issue
2021-07-08 23:05 Gamb1t Assigned To => g0tmi1k
2021-07-08 23:05 Gamb1t Status new => assigned
2021-08-03 11:21 g0tmi1k Assigned To g0tmi1k =>
2021-08-03 11:22 g0tmi1k Status assigned => new
2021-08-24 15:28 tonyg73 Note Added: 0015025
2021-08-31 10:06 g0tmi1k Note Added: 0015055
2021-08-31 10:06 g0tmi1k Status new => acknowledged
2021-08-31 10:06 g0tmi1k Category New Tool Requests => Queued Tool Addition