Some GraphQL APIs have disabled introspection. For example, Apollo Server disables introspection automatically if the NODE_ENV environment variable is set to production.
Clairvoyance allows us to get GraphQL API schema when introspection is disabled. It produces schema in JSON format suitable for other tools like GraphQL Voyager, InQL or graphql-path-enum.
$ git clone https://github.com/nikitastupin/clairvoyance.git
$ cd clairvoyance
$ pip3 install -r requirements.txt
$ python3 -m clairvoyance --help
$ python3 -m clairvoyance -vv -o /path/to/schema.json -w /path/to/wordlist.txt https://swapi-graphql.netlify.app/.netlify/functions/index
$ docker run --rm nikitastupin/clairvoyance --help
# Assuming the wordlist.txt file is found in $PWD
$ docker run --rm -v $(pwd):/tmp/ nikitastupin/clairvoyance -vv -o /tmp/schema.json -w /tmp/wordlist.txt https://swapi-graphql.netlify.app/.netlify/functions/index
You can refer to 2nd half of GraphQL APIs from bug hunter's perspective by Nikita Stupin talk for detailed description.
There are at least two approaches:
- Use general English words (e.g. google-10000-english).
- Create target specific wordlist by extracting all valid GraphQL names from application HTTP traffic, from mobile application static files, etc. Regex for GraphQL name is
[_A-Za-z][_0-9A-Za-z]*.
In case of question or issue with clairvoyance please refer to wiki or issues. If this doesn't solve your problem feel free to open a new issue.
Pull requests are welcome! For major changes, please open an issue first to discuss what you would like to change. For more information about tests, internal project structure and so on refer to Development wiki page.