⚠️ Overview

graphw00f is an open-source GraphQL security testing tool developed by the researcher known as "dolevf" and maintained on GitHub at https://github.com/dolevf/graphw00f. It is designed specifically to fingerprint GraphQL endpoints, identify backend technologies, and probe for misconfigurations and vulnerabilities in GraphQL API implementations. The tool was publicly released in 2021 and has since become a common component in offensive security assessments targeting web applications that expose GraphQL interfaces.

🔧 Technical Capabilities

graphw00f operates by sending a series of crafted HTTP requests to a target GraphQL endpoint (typically POST to /graphql or /v1/graphql) and analyzing the responses to determine the underlying GraphQL engine, such as Apollo, GraphQL-JS, Graphene, or AWS AppSync. It supports over 20 different GraphQL implementations and can detect versions and configurations. The tool performs checks for introspection query availability, which is a critical GraphQL security issue, and attempts to enumerate schema fields and types if introspection is enabled. Additionally, graphw00f tests for common GraphQL-specific attacks like denial of service via deeply nested queries, batching attacks, and alias-based resource exhaustion. It uses multiple probes including different Content-Type headers (application/json, application/graphql) and query parameters to fingerprint the server behavior. The tool outputs a detailed report of detected technologies, potential misconfigurations, and remediation recommendations. It is written in Python and requires only standard libraries, making it easy to deploy in automated scanning pipelines.

📜 History & Notable Incidents

graphw00f was first committed to GitHub in March 2021 by security researcher Dolev Farhi (dolevf). The tool quickly gained traction in the penetration testing community and has been cited in several security advisories and conference talks about GraphQL security. While graphw00f itself is a legitimate security testing tool, its use in unauthorized scanning campaigns has been linked to probes against public GraphQL APIs from companies like GitHub, Shopify, and Facebook. No specific CVEs are associated with graphw00f directly, but it is frequently used to identify CVE-2021-32764 (Apollo Server denial-of-service via deeply nested queries) and other GraphQL-related vulnerabilities. The tool's ability to fingerprint engines has been used to target specific version-dependent bugs documented in the GitHub repository's issues section.

🔍 Detection Indicators

The primary detection indicator is the User-Agent string graphw00f/1.0 or graphw00f/1.1 (version may vary), sent in all HTTP requests. Behavioral fingerprints include rapid-fire requests to `/graphql` or common GraphQL paths with unusual query parameters like `?query=` with large payloads containing nested aliases or duplicate field names. Traffic patterns often show multiple requests with different `Content-Type` headers (e.g., `application/graphql` instead of `application/json`) and requests to the endpoint with a `GET` method that includes a `query` URL parameter – a technique used by graphw00f to test for GET-based GraphQL queries. The tool also sends probes with a `X-Apollo-Operation-Name` header to fingerprint Apollo Server specifically.

☠️ Risk & Impact

If graphw00f scans succeed, an attacker can learn the exact GraphQL engine and version in use, allowing them to target known vulnerabilities specific to that implementation. For example, if introspection is enabled, the entire data schema can be extracted, exposing all queryable fields, types, and relationships – often leaking sensitive business logic and data structures. Attackers can then craft complex queries that cause denial-of-service, bypass authorization checks, or extract excessive amounts of data through batching or aliasing attacks. The tool can also identify misconfigured endpoints that accept mutations or subscriptions without proper authentication, leading to data modification or unauthorized access.

🛡️ Mitigation

graphw00f is blocked immediately on detection because its sole purpose is to fingerprint and probe GraphQL endpoints for vulnerabilities, and its presence indicates an active reconnaissance attempt targeting one of the most sensitive API components of modern web applications. Immediate mitigation includes blocking the source IP, disabling introspection in production GraphQL endpoints, and implementing rate limiting on all GraphQL query paths to prevent deep query analysis.

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the bots listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.