Skip to content

Latest commit

 

History

History
61 lines (41 loc) · 2.91 KB

README.md

File metadata and controls

61 lines (41 loc) · 2.91 KB
Raw

clairvoyancex

Some GraphQL APIs have disabled introspection. For example, Apollo Server disables introspection automatically if the NODE_ENV environment variable is set to production.

Clairvoyance allows us to get GraphQL API schema when introspection is disabled. It produces schema in JSON format suitable for other tools like GraphQL Voyager, InQL or graphql-path-enum.

Disclaimer

clairvoyancex is a fork from the awesome project nikitastupin/clairvoyance.

The major difference is that this project relies on httpx instead of requests for issuing HTTP requests. This allows clairvoyancex to communicate with servers that use protocol HTTP/2 by default and it is a step forward towards implementing async requests. In summary, these are the main differences from the original project:

  • Requests using httpx package;
  • Support for proxying requests;
  • HTTP/2 support;
  • Custom request method defined at command-line;
  • Custom URL parameters defined at command-line.

Installation

$ git clone https://github.com/mchoji/clairvoyancex.git
$ cd clairvoyancex
$ poetry install

If you prefer, you can also install it with pip:

$ cd clairvoyancex
$ pip install -r requirements.txt

Usage

$ poetry run python -m clairvoyancex --help

$ poetry run python -m clairvoyancex -vv -o /path/to/schema.json -w /path/to/wordlist.txt https://swapi-graphql.netlify.app/.netlify/functions/index

You can refer to 2nd half of GraphQL APIs from bug hunter's perspective by Nikita Stupin talk for detailed description.

Which wordlist should I use?

There are at least two approaches:

  • Use general English words (e.g. google-10000-english).
  • Create target specific wordlist by extracting all valid GraphQL names from application HTTP traffic, from mobile application static files, etc. Regex for GraphQL name is [_A-Za-z][_0-9A-Za-z]*.

Support

In case of question or issue with clairvoyance (original project) please refer to wiki or issues. If this doesn't solve your problem feel free to open a new issue.

Contributing

Pull requests are welcome! For more information about tests, internal project structure and so on refer to Development wiki page (original project).

License

This project is licensed under Apache License 2.0. Refer to LICENSE for more information.