Obtain GraphQL API Schema even if the introspection is not enabled
Obtain GraphQL API schema even if the introspection is disabled.
Some GraphQL APIs have disabled introspection. For example, Apollo Server disables introspection automatically if the
NODE_ENV environment variable is set to
Thanks to the contributors for their work.
pip install clairvoyance clairvoyance https://rickandmortyapi.com/graphql -o schema.json # should take about 2 minutes
docker run --rm nikitastupin/clairvoyance --help
Which wordlist should I use?
There are at least two approaches:
- Use general English words (e.g. google-10000-english).
- Create target specific wordlist by extracting all valid GraphQL names from application HTTP traffic, from mobile application static files, etc. Regex for GraphQL name is
LOG_FMT=`%(asctime)s \t%(levelname)s\t| %(message)s` # A string format for logging. LOG_DATEFMT=`%Y-%m-%d %H:%M:%S` # A string format for logging date. LOG_LEVEL=`INFO` # A string level for logging.
Due to time constraints @nikitastupin won't be able to answer all the issues for some time but he'll do his best to review & merge PRs
Pull requests are welcome! For major changes, please open an issue first to discuss what you would like to change. For more information about tests, internal project structure and so on refer to Development wiki page.
You may find more details on how the tool works in the second half of the GraphQL APIs from bug hunter's perspective by Nikita Stupin talk.
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Hashes for clairvoyance-2.5.2-py3-none-any.whl