Haxf4rall
  • Home
  • Become a Hacker
    • Get Started
    • Hacker Mindset
    • Roadmap
    • Simple Setup – Hacker 101
    • Types of Hackers
    • Recommended Courses
  • Boot People Offline
  • Courses
    • All Hacking Courses
    • Cyber Security School
  • CTF
    • Beginners to Advanced Guide
    • Create your own CTF box
    • Field and Resources Guide
    • Platforms & Wargames
    • Tools Used for Solving CTF
    • Writeups
  • Dark Web
    • Beginners Guide
    • Darknet Markets
    • Darkweb 101 (Anonymity Guide)
    • Dark Web OSINT Tools
    • Hacking Forums
    • Latest News
    • Onion Links
  • Hacker Gadgets
  • Hacking Books
  • Tools Directory
  • Home
  • 2022
  • July
  • 7
  • CrackQL – GraphQL Password Brute-Force And Fuzzing Utility

CrackQL – GraphQL Password Brute-Force And Fuzzing Utility

July 7, 2022 Comments Off on CrackQL – GraphQL Password Brute-Force And Fuzzing Utility
CrackQL - GraphQL Password Brute-Force And Fuzzing Utility cybersecurity ethical hacking hack android hack app hack wordpress hacker news hacking hacking tools for windows keylogger kit kitploit password brute force penetration testing pentest pentest android pentest linux pentest toolkit pentest tools spy tool kit spyware tools

CrackQL is a GraphQL password brute-force and fuzzing utility.

CrackQL is a versatile GraphQL penetration testing tool that exploits poor rate-limit and cost analysis controls to brute-force credentials and fuzz operations.

How it works?

CrackQL works by automatically batching a single GraphQL query or mutation into several alias operations. It determines the number of aliases to use based on the CSV input variables. After programmatically generating the batched GraphQL document, CrackQL then batches and sends the payload(s) to the target GraphQL API and parses the results and errors.

Attack Use Cases

CrackQL can be used for a wide range of GraphQL attacks since it programmatically generates payloads based on a list of dynamic inputs.

Defense Evasion

Unlike Burp Intruder which sends a request for each unique payload, CrackQL evades traditional API HTTP rate-limit monitoring defenses by using multiple alias queries to stuff large sets of credentials into single HTTP requests. To bypass query cost analysis defenses, CrackQL can be optimized into using a series of smaller batched operations (-b) as well as a time delay (-D).

Password Spraying Brute-forcing

CrackQL is perfect against GraphQL deployments that leverage in-band GraphQL authentication operations (such as the GraphQL Authentication Module). The below password spraying example works against DVGA with the sample-inputs/users-and-passwords.csv dictionary.

sample-queries/login.graphql

mutation {
login(username: {{username|str}}, password: {{password|str}}) {
accessToken
}
}

Two-factor Authentication OTP Bypass

It is possible to use CrackQL to bypass two-factor authentication by sending all OTP (One Time Password) tokens

sample-queries/otp-bypass.graphql

mutation {
twoFactor(otp: {{otp|int}}) {
accessToken
}
}

User Account Enumeration

CrackQL can also be used for enumeration attacks to discover valid user ids, usernames and email addresses

sample-queries/enumeration.graphql

query {
signup(email: {{email|str}}, password: {{password|str}}) {
user {
email
}
}
}

Insecure Direct Object Reference

CrackQL could be used to iterate over a large number of potential unique identifiers in order to leak object information

sample-queries/idor.graphql

query {
profile(uuid: {{uuid|int}}) {
name
email
picture
}
}

General Fuzzing

CrackQL can be used for general input fuzzing operations, such as sending potential SQLi and XSS payloads.

Inputs

CrackQL will generate payloads based on input variables defined by a CSV file. CrackQL requires the CSV header to match the input name.

sample-inputs/usernames_and_passwords.csv

username, password
admin, admin
admin, password
admin, pass
admin, pass123
admin, password123
operator, operator
operator, password
operator, pass
operator, pass123
operator, password123

Valid input types

  • str
  • int
  • float

Installation

Requirements

  • Python3
  • Requests
  • GraphQL
  • Jinja

Clone Repository

git clone [email protected]:nicholasaleks/CrackQL.git

Get Dependencies

pip install -r requirements.txt

Run CrackQL

python3 CrackQL.py -h

Configuration

Use config.py to set HTTP cookies and headers if the endpoint requires authentication.

Maintainers

  • Nick Aleks
  • Dolev Farhi

Mentions

Download CrackQL

Post navigation

CVE-2022-2274: OpenSSL Remote Code Execution Vulnerability
pywhisker: Python tool for Shadow Credentials attacks

Related Articles

PlutoCrypt Ransomware Decryptor

PlutoCrypt Ransomware Decryptor

- Hack Tools
May 27, 2023
CISA Adds CVE-2023-2868 Vulnerability to KEV Catalog

CISA Adds CVE-2023-2868 Vulnerability to KEV Catalog

- Hack Tools
May 26, 2023
PoC Exploit Released for GitLab CVE-2023-2825 Vulnerability

PoC Exploit Released for GitLab CVE-2023-2825 Vulnerability

- Hack Tools
May 26, 2023
hacker gadgets
hacker phone covers

Recent Posts

PlutoCrypt Ransomware Decryptor

PlutoCrypt Ransomware Decryptor

May 27, 2023
Galaxy Fold 4

Samsung to improve the durability of the waterdrop hinges in the foldable smartphones

May 26, 2023
CISA Adds CVE-2023-2868 Vulnerability to KEV Catalog

CISA Adds CVE-2023-2868 Vulnerability to KEV Catalog

May 26, 2023
Google releases Chrome version 111 to fix 40 security vulnerabilities

Google releases Chrome version 111 to fix 40 security vulnerabilities

May 26, 2023
PoC Exploit Released for GitLab CVE-2023-2825 Vulnerability

PoC Exploit Released for GitLab CVE-2023-2825 Vulnerability

May 26, 2023
CVE View

Mondoo v7.17.1 releases: Cloud-Native Security & Vulnerability Risk Management

February 16, 2023

Social Media Hacking

SocialPath – Track users across Social Media Platforms

SocialPath – Track users across Social Media Platforms

- Social Media Hacking
October 16, 2019October 16, 2019

SocialPath is a django application for gathering social media intelligence on specific username. It checks for Twitter, Instagram, Facebook, Reddit...

SocialScan – Check Email Address and Username Availability on Online Platforms

SocialScan – Check Email Address and Username Availability on Online Platforms

June 17, 2019
Shellphish – Phishing Tool For 18 Social Media Apps

Shellphish – Phishing Tool For 18 Social Media Apps

June 10, 2019July 27, 2019
WhatsApp Hacking using QRLJacking

WhatsApp Hacking using QRLJacking

May 2, 2019May 19, 2019
How to Hack any Facebook Account with Z-Shadow

How to Hack any Facebook Account with Z-Shadow

April 26, 2019June 29, 2020
hacker buffs

About Us

Haxf4rall is a collective, a good starting point and provides a variety of quality material for cyber security professionals.

Active Members

Submit a Tool

Hackers Handbook 2018


Grab your copy here

About Us

Haxf4rall is a collective, a good starting point and provides a variety of quality material for cyber security professionals.

Categories

  • Secure Coding
  • Documentary
  • Courses & Ebooks
  • Hack Tools
  • Hacking Tutorials
  • Mobile Hacking
  • News
  • Operating Systems
  • TOR
  • Tricks & How To’s

Active Members

Useful Links

Contact Us

Disclaimer

Privacy Policy

Submit a Tool

Copyright 2019. All rights reserved | Theme: OMag by LilyTurf Themes