A lightweight, modular Python suite designed for Vulnerability Assessment and Penetration Testing (VAPT) of GraphQL endpoints. This tool automates the discovery of hidden endpoints, checks for introspection vulnerabilities, and extracts sensitive mutations.
- Path Fuzzing: Automatically discovers GraphQL endpoints using a customizable
payloads.txtwordlist. - Introspection Check: Probes the API to determine if the schema is publicly accessible.
- Schema Dumping: Extracts the full JSON schema for offline analysis.
- Mutation Analysis: Automatically parses the schema to identify "Write" operations (Mutations) and flags sensitive keywords (e.g., delete, update, password).
- Colorized Output: Uses
coloramafor clear, readable terminal results.
- Clone the repository:
git clone https://github.com/Sumit0x00/graphql-hunt
cd graphql-hunt- Set up a Virtual Environment (Recommended):
python3 -m venv .venv
source .venv/bin/activate # On Windows: .venv\Scripts\activate- Install Dependencies:
pip install -r requirements.txtProvide a base URL. The tool will automatically fuzz for common GraphQL paths:
python3 main.py -u https://api.example.comIf you already know the path, provide the full URL:
python3 main.py -u https://api.example.com/v1/graphqlSpecify a custom filename for the schema dump:
python3 main.py -u https://api.example.com/graphql -o my_scan.jsonThis tool is for educational and ethical security testing purposes only. Always obtain proper authorization before scanning any system that you do not own.