awesome-graphql-security
API security toolkit
A curated list of security frameworks and tools for protecting GraphQL APIs
A curated list of awesome GraphQL Security frameworks, libraries, software and resources
299 stars
10 watching
22 forks
last commit: 9 months ago
Linked from 1 awesome list
awesomeawesome-listgraphqlsecurity
Awesome GraphQL Security / Defensive Security / Authentication & Authorization | |||
| GraphQL Shield | 3,560 | 27 days ago | GraphQL Shield helps you create a permission layer for your application |
| GraphQL Authz | 180 | 3 months ago | GraphQL authorization layer |
Awesome GraphQL Security / Defensive Security / Continous Security Testing | |||
| Escape - GraphQL Security | Continuous GraphQL Security Testing for Developers. Find and fix GraphQL security flaws in the CI/CD | ||
| GraphQL Cop | 382 | 2 months ago | Utility to run common security tests against GraphQL APIs that can be run inside CI/CD |
Awesome GraphQL Security / Defensive Security / Middlewares | |||
| GraphQL Armor | 500 | 6 days ago | Highly customizable security middleware for Apollo GraphQL and Envelop servers |
Awesome GraphQL Security / Defensive Security / Security Solutions | |||
| WAF for GraphQL | Web Application Firewall for GraphQL APIs | ||
Awesome GraphQL Security / Neutral Security / Clients and IDEs | |||
| Postman | Postman is an API platform for developers to design, build, test and iterate their APIs | ||
| Insomnia | Design and test GraphQL APIs with ease | ||
| Altair | GraphQL Client helps you debug GraphQL queries and implementations. Also distributed as a Browser Extension | ||
| Hoppscotch | 65,598 | 3 days ago | Online REST and GraphQL client |
Awesome GraphQL Security / Neutral Security / Self-Discovery | |||
| GraphMan | 241 | 3 months ago | Generate a complete Postman collection from a GraphQL endpoint. Allows instant and easy discovery and exploration of the API |
Awesome GraphQL Security / Neutral Security / Visualizers | |||
| GraphQL Visualizer | Visualize GraphQL schema | ||
| Voyager | 7,800 | about 1 month ago | Represent any GraphQL API as an interactive graph |
| GraphQL Inspector | 1,650 | 6 days ago | – Validate schema, get schema change notifications, validate operations, find breaking changes, look for similar types, schema coverage |
| GraphQL Rover | 262 | about 1 year ago | GraphQL schema viewer for endpoints with introspection |
| CraftQL | 109 | over 1 year ago | CLI GraphQL schema viewer, view schema diagram on the terminal or generate graphviz .dot format file |
Awesome GraphQL Security / Offensive Security / Discovery | |||
| Graphinder | 190 | over 1 year ago | Blazing fast GraphQL endpoints finder using subdomain enumeration, scripts analysis and bruteforce |
| Graphw00f | 578 | about 2 months ago | GraphQL Server Engine Fingerprinting utility |
| Clairvoyance | 1,050 | about 2 months ago | Patrial introspection fetcher when introspection is disabled |
| GraphQL Path Enum | – Tool that lists the different ways of reaching a given type in a GraphQL schema | ||
| ShapeShifter | 117 | over 2 years ago | Schema extraction to JSON file with introspection |
| Goctopus | 101 | about 1 year ago | a GraphQL endpoint discovery and fingerprinting tool |
Awesome GraphQL Security / Offensive Security / Exploitation | |||
| GraphCrawler | 302 | 9 months ago | A GraphQL automated security toolkit. Grab introspection, search for sensitive queries, and then test authorization |
| CrackQL | 316 | 4 months ago | GraphQL password brute-force and fuzzing utility |
| GraphQLMap | 1,390 | 8 months ago | A scripting engine to interact with a GraphQL endpoint for pentesting purposes |
| GraphQL.Security | One-click quick security scan of your GraphQL endpoints. Free, no login required | ||
| GraphQL Threat Matrix | 287 | 12 months ago | GraphQL threat framework to research security gaps in GraphQL implementations |
| InQL | 1,540 | 5 months ago | A Burp Extension for GraphQL Security Testing |
| BatchQL | 367 | almost 2 years ago | GraphQL security auditing script with a focus on performing batch GraphQL queries and mutations |
| GraphQL wordlist | 329 | about 1 year ago | the only GraphQL wordlist for pentesting you'll ever need. Operations, field names, type names. It was collected on more than 60k distinct GraphQL schemas |
Awesome GraphQL Security / Offensive Security / Vulnerable Applications | |||
| Damn Vulnerable GraphQL Application | 1,505 | 10 months ago | Damn Vulnerable GraphQL Application is an intentionally vulnerable implementation of Facebook's GraphQL technology, to learn and practice GraphQL Security |
Awesome GraphQL Security / Resources / Academy | |||
| API Security Academy | Hands-on learning about GraphQL. Each lesson is built around a WebContainer containing a live GraphQL application, so you'll not only understand why a vulnerability is risky, but also how to exploit it and, most importantly, how to fix it | ||
Awesome GraphQL Security / Resources / Blogs | |||
| Access Control Best Practices for GraphQL with Authentication and Authorization | Confusion between authentication and authorization causes data leaks. Learn the difference and how to implement the right access control pattern in your GraphQL API | ||
| Apollo Blog | Take your GraphQL skills to the next level with our free interactive GraphQL tutorials, videos, quizzes and code challenges | ||
| The GraphQL Security Blog | Learn about GraphQL security, performance, testing and building production-ready APIs with the latest tools and best practices of the GraphQL ecosystem | ||
| GraphQL for Pentesters | Introduction to Basic Concepts, Security Considerations & Reconnaissance, Vulnerabilities and Attacks, Offensive Tools | ||
| GraphQL security for decentralized applications (DApps): challenges and best practices | Learn about GraphQL security, performance, testing and building production-ready APIs with the latest tools and best practices of the GraphQL ecosystem | ||
Awesome GraphQL Security / Resources / Vulnerabilities | |||
| Aliasing Attacks | Addressing the Security concerns of GraphQL Aliases | ||
| File Inclusion and Directory Traversal | File Inclusion and Directory Traversal in GraphQL | ||
| GraphQL CSRF | Understanding and Dealing with Cross-Site Request Forgery Attacks (CSRF) in GraphQL | ||
| GraphQL Cyclic Queries and Depth Limiting | The relational aspect of GraphQL can be a vulnerability exploited by running deep and cyclic queries causing your API to crawl under the load and crash | ||
| HTTPS and GraphQL | How HTTPS can prevent Data Leaks | ||
| SQL Injection | SQL Injections in GraphQL | ||
| Verbose Errors Suggestions | When GraphQL Error Messages become a Security Issue | ||
| What are Insecure Direct Object References (IDOR) in GraphQL, and how to fix them | When GraphQL Error Messages become a Security Issue | ||
0ex/more-awesome
davevs/dvxte