New features

README.md

@@ -1,37 +1,87 @@
 # GraphQL-Scripts
 
-This repository contains a series of useful scripts for pentesting GraphQL endpoints.
+This repository contains a set of small utilities to help with security testing and exploration of GraphQL endpoints.
 
-## Basic Information
+Included tools
+- qGen — interactive Query Generator: lists schema methods and generates full GraphQL queries (selection sets) for a chosen method.
+- effuzz — Endpoint Fuzzer: enumerates query/mutation names from a schema and performs lightweight requests to identify methods you can call (ffuf-like for GraphQL).
+- sqli — SQLi Detector helper: probes string arguments for SQL injection indicators and writes sqlmap marker files for reproducible testing.
 
-This repository contains two scripts: [qGen.py](https://github.com/gitblanc/GraphQL-Scripts/tree/main/qGen) and [effuzz.py](https://github.com/gitblanc/GraphQL-Scripts/tree/main/effuzz).
-- `qGen.py` allows you to list all the methods available in your GraphQL schema and then generate a query to dump all possible information with a method (like `findAllUsers`).
-- `effuzz.py` allows you to check permissions in all the methods of your GraphQL schema (similar output to `ffuf`).
+Quick notes
+- Tools accept an introspection JSON file via `--introspection`.
+- If `--introspection` is omitted, `qGen` and `effuzz` can fetch the schema automatically from `--url` (requires the `requests` package). Automatic introspection is saved by default to `introspection_schema.json` (disable with `--no-save-introspection`).
+- Use these tools only on systems for which you have explicit authorization.
 
-## Methodology to use
+Requirements
+- Python 3.7+
+- For automatic introspection / HTTP requests: pip install requests
 
->[!Important]
->You must have previously obtained the result of an introspection query and save it to a json file like `introspection_schema.json`
-
-- You can first run `effuzz.py` to check for interesting methods allowed for your session:
+Basic workflow (recommended)
+1. Use `effuzz` to quickly determine which methods the current session can call (permission discovery).
+2. Use `qGen` to generate a full query for an interesting method and paste the result into your GraphQL client (Burp, Postman, GraphiQL, etc.).
+3. Optionally use the `sqli` helper to target string arguments for SQLi checks and produce sqlmap marker files.
 
+effuzz — quick example
+- Run with a saved introspection file:
 ```shell
-python3 effuzz.py --introspection /path/to/introspection_schema.json --url https://example.com/graphql
+python3 effuzz/effuzz.py --introspection /path/to/introspection_schema.json --url https://example.com/graphql
+```
 
-[redacted]
-getAllTests    [Status: 401] [Size: 32] [Words: 5] [Lines: 1]
-getAllUsers    [Status: 400] [Size: 261] [Words: 25] [Lines: 1] #<----- This indicates a malformed query, so you have permissions for this one
-getAllConfigs   [Status: 200] [Size: 48] [Words: 15] [Lines: 1] #<----- You also have permissions for this one
+- Example (sanitized) sample output:
+```text
+[✓] Introspection loaded (120 queries, 8 mutations)
+------------------------------------------------------------
+getAllTests         [Status: 401] [Size: 32]  [Words: 5]  [Lines: 1]
+getAllUsers         [Status: 400] [Size: 261] [Words: 25] [Lines: 1]   # malformed query -> server accepted request (likely allowed)
+getAllConfigs       [Status: 200] [Size: 48]  [Words: 15] [Lines: 1]   # likely accessible
+------------------------------------------------------------
+(Use --debug to dump full responses)
 ```
-
-- Once you obtained those methods which might interest you, you can run `qGen.py` and generate a query for that method:
 
+What to infer from effuzz output
+- 401 / 403: authentication/authorization required.
+- 400: GraphQL often returns 400 for malformed queries; if the server returns 400 rather than 401, it usually indicates your request reached the server (the method exists and you may have permission).
+- 200: successful request — inspect the body for `data` or `errors`.
+
+qGen — quick example
+- Run with a saved introspection file:
 ```shell
-python3 qGen.py --introspection /path/to/introspection_schema.json
+python3 qGen/qGen.py --introspection /path/to/introspection_schema.json
+```
+
+- Interactive session (sanitized):
+```text
+qGen $ listMethods
+ [1] getAllUsers
+ [2] getUserById
 
-[redacted]
 qGen $ use getAllUsers
-qGen $ genQuery
+# The full query is printed and saved to queries/getAllUsers.txt
+```
+
+Notes about qGen
+- The `use` command selects a method and immediately generates & saves the full query (no separate `genQuery` step).
+- Generated queries are saved in the `queries/` directory.
+
+sqli helper — quick example
+- Install requirements (if provided) or at minimum:
+```bash
+pip install requests
+```
+
+- Run (headers passed as JSON string is one supported way; consult script help for options):
+```bash
+python3 sqli/sqli_detector.py https://example.com/graphql '{"Authorization":"Bearer TOKEN"}'
+```
+
+- Sample (sanitized) output:
+```text
+VULNERABLE PARAMETER: username (field: user)
+Evidence: Baseline != Attack (baseline {"data": {"user": null}}, attack {"data": {"user": {"uuid": "1"}}})
+Recommended sqlmap command:
+sqlmap -r 'repro-payloads/user_username_<timestamp>_<id>_marker.http' -p "JSON[query]" --batch --skip-urlencode --parse-errors --random-agent
 ```
 
-- Now you can copy the query generated and paste it into BurpSuite, PostMan or GraphiQL.
+Security & ethics
+- These tools actively probe targets; run them only on systems you are authorized to test.
+- Inspect any generated marker files before running sqlmap or other automated tooling.

effuzz/README.md

@@ -1,62 +1,135 @@
-# Endpoint Fuzzer
+```markdown
+# Endpoint Fuzzer (effuzz)
 
-This script helps you check for methods you've got permissions in your GraphQL schema.
+This script helps you detect which GraphQL methods you may be able to call (or have permissions for) by enumerating Query/Mutation names from an introspection schema and performing lightweight checks.
 
 ```shell
 ███████╗███████╗███████╗██╗   ██╗███████╗███████╗
 ██╔════╝██╔════╝██╔════╝██║   ██║╚══███╔╝╚══███╔╝
 █████╗  █████╗  █████╗  ██║   ██║  ███╔╝   ███╔╝ 
 ██╔══╝  ██╔══╝  ██╔══╝  ██║   ██║ ███╔╝   ███╔╝  
 ███████╗██║     ██║     ╚██████╔╝███████╗███████╗
-╚══════╝╚═╝     ╚═╝      ╚═════╝ ╚══════╝╚══════╝
+╚══════╝╚═╝     ╚═╝      ╚═════╝╚══════╝╚══════╝
 ```
 
+## Overview
+
+effuzz enumerates available fields from a GraphQL schema and issues minimal GraphQL requests for each method to learn how the server responds. It is useful to quickly spot methods that accept requests (status 200/400) versus those that deny access (401/403) or cause other errors.
+
+Two modes:
+- Explicit introspection: supply a previously saved introspection JSON with `--introspection`.
+- Automatic introspection: omit `--introspection` and provide `--url`; effuzz will attempt to fetch the schema from the endpoint (requires the `requests` library). By default the fetched introspection is saved to `introspection_schema.json` (toggle with `--no-save-introspection`).
+
+Note: Use these tools only on targets you are authorized to test.
+
+## Requirements
+
+- Python 3.7+
+- requests (only required for automatic introspection / HTTP requests):
+  pip install requests
+
 ## Usage
 
->[!Important]
->You must have previously obtained the result of an introspection query and save it to a json file like `introspection_schema.json`.
+Important: either provide a local introspection JSON or let effuzz fetch it automatically from the target with `--url`.
 
-- Basic command:
+- Using a saved introspection file (explicit mode):
 
 ```shell
-python3 effuzz.py --introspection /path/to/introspection_schema.json --url https://example.com/graphql
+python3 effuzz/effuzz.py --introspection /path/to/introspection_schema.json --url https://example.com/graphql
 ```
 
-- If you have cookie and/or variables to anidate queries:
+- Automatic introspection (effuzz fetches the schema from the endpoint):
 
 ```shell
-python3 effuzz.py --introspection /path/to/introspection_schema.json --url https://example.com/graphql --cookie /path/to/cookie.txt --variables /path/to/variables.json
+python3 effuzz/effuzz.py --url https://example.com/graphql \
+  -H "Authorization: Bearer TOKEN" \
+  --cookie /path/to/cookie.txt
 ```
 
-- Enable debug mode to check petitions and responses:
+- With variables file and cookie:
 
 ```shell
-python3 effuzz.py --introspection /path/to/introspection_schema.json --url https://example.com/graphql --debug
+python3 effuzz/effuzz.py --introspection /path/to/introspection_schema.json \
+  --url https://example.com/graphql \
+  --cookie /path/to/cookie.txt \
+  --variables /path/to/variables.json
 ```
 
-- Match exact reponse status codes:
+- Enable debug to inspect request and response bodies:
 
 ```shell
-python3 effuzz.py --introspection /path/to/introspection_schema.json --url https://example.com/graphql --mc 200,403
+python3 effuzz/effuzz.py --introspection introspection_schema.json --url https://example.com/graphql --debug
 ```
 
-- Hide responses with matching status codes:
+- Match specific response status codes (show only these):
 
 ```shell
-python3 effuzz.py --introspection /path/to/introspection_schema.json --url https://example.com/graphql --fc 200,403
+python3 effuzz/effuzz.py --introspection introspection_schema.json --url https://example.com/graphql --match-code 200,403
 ```
 
-## Available commands
-
-- You can use the following commands:
+- Filter out specific status codes (hide these):
 
 ```shell
-  --introspection     Path to the introspection JSON file
-  --url               GraphQL endpoint URL
-  -s | --silent       Only show endpoints that DO NOT return 401
-  --cookie            File containing cookie in plain text (one line)
-  --variables         JSON file with variables for the payload
-  --debug             Show full request and response
-  --match-code | -mc  Show only responses with matching status codes (e.g., 200,403,500)
-  --filter-code | -fc Hide responses with matching status codes (e.g., 401,404)
+python3 effuzz/effuzz.py --introspection introspection_schema.json --url https://example.com/graphql --filter-code 401,404
+```
+
+## Important options
+
+```text
+--introspection        Path to the introspection JSON file (optional if --url is used)
+--url                 GraphQL endpoint URL (required for automatic introspection)
+-H, --header          Add HTTP header(s) for requests; repeatable. Format: "Name: Value"
+-s, --silent          Hide responses that return 401
+--cookie              File containing cookie value (one line); ignored if Cookie provided via -H
+--variables           JSON file with variables to include in requests
+--debug               Print full request and response bodies (helps troubleshooting)
+--match-code, -mc     Show only responses with these status codes (comma separated)
+--filter-code, -fc    Hide responses that match these status codes (comma separated)
+--save-introspection  Save automatic introspection to introspection_schema.json (default)
+--no-save-introspection Do not save automatic introspection to disk
 ```
+
+## Example output
+
+A short sample run (values and counts are illustrative):
+
+```text
+$ python3 effuzz/effuzz.py --introspection introspection_schema.json --url http://94.237.63.174:57732/graphql
+
+[✓] Introspection loaded (120 queries, 8 mutations)
+------------------------------------------------------------
+getAllTests         [Status: 401] [Size: 32]  [Words: 5]  [Lines: 1]
+getAllUsers         [Status: 400] [Size: 261] [Words: 25] [Lines: 1]   # malformed query -> server accepted request
+getAllConfigs       [Status: 200] [Size: 48]  [Words: 15] [Lines: 1]   # likely accessible
+findUserByEmail     [Status: 200] [Size: 512] [Words: 80] [Lines: 3]   # returns data
+------------------------------------------------------------
+(Use --debug to dump full responses)
+```
+
+Notes on interpreting results:
+- 401 / 403: usually indicates authentication/authorization required.
+- 400: GraphQL servers commonly return 400 for syntactically invalid or semantically wrong queries – this can still mean the method exists and the server processed the request.
+- 200: successful request; check response body for `data` or `errors` to decide further steps.
+
+## Troubleshooting
+
+- Automatic introspection fails:
+  - Ensure `--url` points to the GraphQL endpoint.
+  - Provide proper auth headers with `-H "Authorization: Bearer ..."` or use `--cookie`.
+  - Check that the server accepts the introspection query (some servers disable it).
+  - If the endpoint returns non-JSON or a wrapper format, effuzz may not detect `__schema`.
+
+- Requests fail with network errors:
+  - Try increasing timeout in the code or check network connectivity/proxy settings.
+
+- Too many fields / huge schema:
+  - Consider filtering or generating smaller payloads when using the `--variables` option or modifying the request loop.
+
+## Security & ethics
+
+Only run effuzz on systems you are authorized to test. These tools are intended for legitimate security testing and research.
+
+## Further reading / next steps
+
+- Use qGen to generate full queries for interesting methods discovered by effuzz.
+- Use the sqli helper to target string arguments found in introspection for simple SQLi checks.