fluidasserts.proto.graphql module

This module allows to check GraphQL-specific vulnerabilities.

fluidasserts.proto.graphql.accepts_introspection(url, *args, **kwargs)

Check if GraphQL is implemented in a way that allows for introspection.

Do pass cookies or special headers if needed using kwargs. Do not use json, data, or files parameter, they’ll be added accordingly.

Parameters
  • url (str) – GraphQL endpoint to test.

  • *args – Optional arguments for HTTPSession.

  • **kwargs – Optional arguments for HTTPSession.

Return type

fluidasserts.Result

fluidasserts.proto.graphql.do_query(url, query, *args, **kwargs)

Make a generic query to a GraphQL instance.

Return type

None

fluidasserts.proto.graphql.has_dos(url, query, num, timeout, *args, **kwargs)

Check if GraphQL is implemented in a way that allows for a DoS.

The method will perform num asynchronous requests and consider a DoS if any of the requests exceed the timeout.

Consider using an expensive query, (one that takes the server some processing time to respond).

Consider going from one request, to two, then three and so on until you find the server starts taking time to respond. Avoid launching one million requests at once or you could really be damaging the server.

Do pass cookies or special headers if needed using kwargs. Do not use json, data, or files param, the request body will be added accordingly from your query.

Parameters
  • url (str) – GraphQL endpoint to test.

  • query (str) – A GraphQL query (see the tests for examples).

  • num (int) – Number of simultaneous requests to made.

  • timeout (float) – Max number of seconds to wait for a response.

  • *args – Optional arguments for HTTPSession.

  • **kwargs – Optional arguments for HTTPSession.

Return type

fluidasserts.Result

async fluidasserts.proto.graphql.query_async(url, query, *args, **kwargs)

Make a generic query to a GraphQL instance.

Return type

None