Awesome
goctopus
Blazing fast graphql fingerprinting toolbox.
⚠️ Goctopus is still in very early development. Breaking changes are expected.
goctopus -a rickandmortyapi.com
.-' `'.
/ \
| ;
| | ___.--,
_.._ |0) ~ (0) | _.---'`__.-( (_.
__.--'`_.. '.__.\ '--. \_.-' ,.--'` `""`
( ,.--'` ',__ /./; ;, '.__.'` __
_`) ) .---.__.' / | |\ \__..--"" """--.,_
`---' .'.''-._.-'`_./ /\ '. \ _.-~~~````~~~-._`-.__.'
| | .' _.-' | | \ \ '. `~---`
\ \/ .' \ \ '. '-._)
\/ / \ \ `=.__`~-.
jgs / /\ `) ) / / `"".`\
, _.-'.'\ \ / / ( ( / /
`--~` ) ) .-'.' '.'. | (
(/` ( (` ) ) '-;
` '-; (-'
_
__ _ ___ ___| |_ ___ _ __ _ _ ___
/ _` |/ _ \ / __| __/ _ \| '_ \| | | / __|
| (_| | (_) | (__| || (_) | |_) | |_| \__ \
\__, |\___/ \___|\__\___/| .__/ \__,_|___/ v0.0.18
|___/ |_|
[INF] Enumerating subdomains for 'rickandmortyapi.com'
[INF] Found 5 subdomains for 'rickandmortyapi.com' in 15 seconds 276 milliseconds
INFO[0016] Done fingerprinting rickandmortyapi.com
INFO[0016] Found: {"authenticated":false,"domain":"rickandmortyapi.com","schema_status":"OPEN","source":"rickandmortyapi.com","url":"https://rickandmortyapi.com/graphql"}
INFO[0016] Done. Found 1 graphql endpoints
Usage
Using go:
go install -v github.com/Escape-Technologies/goctopus/cmd/goctopus@latest
goctopus -a example.com
Using docker:
docker run --rm -it escapetech/goctopus:latest -a example.com
Main options & features
It is recommended to use the -a
flag as a shorthand to enable all the features (if you want detailed results, and don't care about speed).
Input
Goctopus takes a list of adresses (endpoints and/or urls) as input. Adresses can be specified directly in the command line or in a file.
Command line
The adresses can be specified directly in the command line, comma separated. Example:
goctopus -a example.com,https://example.com/graphql
Input file
The adresses can be specified in a file, one per line.
The file path should be specified using the -f
flag.
Example:
example.com
https://example.com/graphql
escape.tech
https://example.com/api
goctopus -f input.txt
Introspection fingerprinting
The -introspect
flag enables introspection fingerprinting.
If enabled, goctopus will detect if the introspection of graphql endpoints is enabled.
Subdomain enumeration
The -subdomain
flag enables subdomain enumeration.
If enabled, goctopus will try to find graphql endpoints on subdomains of the given domains.
The enumeration is done using subfinder.
Field suggestion fingerprinting
The -suggest
flag enables field suggestion fingerprinting.
This option needs the introspection fingerprinting (-introspect
) to be enabled.
When enabled, goctopus will try to detect if the graphql endpoint has field suggestion enabled, if the introspection is closed.
This is useful to bruteforce fields and/or types when introspection is disabled, with tools such as ClairvoyaceNext.
Output
The -o
is used to specify the output file path. It defaults to output.jsonl
.
The output file is in json-lines format.
Each line corresponds to one found graphql endpoint and will contain at least the following fields:
{
"domain": "subdomain.example.com",
"authenticated": false,
"url": "https://subdomain.example.com/graphql",
"source": "example.com"
}
The authenticated
field can be one of the following:
true
: The endpoint is a graphql endpoint.false
: The endpoint is a graphql endpoint and requires authentication.
Additional options
Usage: goctopus [options] [addresses]
[addresses]: A list of addresses to fingerprint, comma separated.
Addresses can be in the form of http://example.com/graphql or example.com. If an input file is specified, this argument is ignored.
[options]:
-a (All) Enable all fingerprinting methods: introspection, field suggestion, subdomain enumeration
-f string
Input file
-introspect
Enable introspection fingerprinting
-o string
Output file (json-lines format)
-s Silent
-subdomain
Enable subdomain enumeration
-suggest
Enable fields suggestion fingerprinting.
Needs "introspection" to be enabled.
-t int
Request timeout (seconds) (default 30)
-v Verbose
-w int
Max workers (default 40)
-webhook string
Webhook URL
Docker usage
Using volumes to load the input file and save to the output file:
docker run --rm -it -v $(pwd):/data escapetech/goctopus:latest -f /data/input.txt -o /data/output.jsonl
Using a specific version:
# for version vA.B.C
docker run --rm -it escapetech/goctopus:A.B.C [args]
Roadmap
- Better wordlist for field suggestion fingerprinting, to improve the detection performance and detection rate.
- Engine fingerprinting.
- Script analysis.
- Refactor to make goctopus usable as a go package.
- Document goctopus as a go package.
- Better flags.
- Better logs.
- Direct cli input.
- Improve performance further.
- Resume from output file. (maybe)
- Custom ascii art. (maybe)
- Docker