Description
Clairvoyance discovers GraphQL API schemas even when introspection is disabled. It uses field suggestion errors and word lists to reconstruct the schema through brute-force enumeration. Critical when normal introspection queries are blocked.
Installation
BASH
pip3 install clairvoyance
# From source
git clone https://github.com/nikitastupin/clairvoyance.git
cd clairvoyance && pip3 install .Basic Usage
BASH
# Schema discovery with default wordlist
clairvoyance https://target.com/graphql -o schema.json
# With custom wordlist
clairvoyance https://target.com/graphql -w custom_words.txt -o schema.jsonAdvanced Usage
BASH
# With authentication
clairvoyance https://target.com/graphql \
-H "Authorization: Bearer TOKEN" -o schema.json
# Custom wordlist for field names
clairvoyance https://target.com/graphql -w fields.txt -o schema.json
# Through proxy
clairvoyance https://target.com/graphql --proxy http://127.0.0.1:8080 -o schema.json
# Verbose
clairvoyance https://target.com/graphql -o schema.json -vCommon Workflows
BASH
# Step 1: Check if introspection is disabled
curl -s -X POST https://target.com/graphql \
-H "Content-Type: application/json" \
-d '{"query":"{ __schema { types { name } } }"}'
# If blocked → use Clairvoyance
# Step 2: Discover schema
clairvoyance https://target.com/graphql -o schema.json
# Step 3: Use discovered schema with InQL or GraphQLmap
# Import schema.json into InQL Burp extension
# Generate queries based on discovered types
# Step 4: Look for sensitive types
cat schema.json | jq '.data.__schema.types[] | select(.name | test("user|admin|config|internal"))'