InQL - Introspection GraphQL Scanner
A security testing tool to facilitate GraphQL technology security auditing efforts.
This extension will issue an Introspection query to the target GraphQL endpoint in order fetch metadata information for:
- Queries, mutations, subscriptions
- Its fields and arguments
- Objects and custom object types
- Find GraphQL Cycles
Using the inql extension for Burp Suite, you can:
- Search for known GraphQL URL paths; the tool will grep and match known values to detect GraphQL endpoints within the target website
- Search for exposed GraphQL development consoles (GraphiQL, GraphQL Playground, and other common consoles)
- Use a custom GraphQL tab displayed on each HTTP request/response containing GraphQL
- Leverage the templates generation by sending those requests to Burp's Repeater tool ("Send to Repeater")
- Leverage the templates generation and editor support by sending those requests to embedded GraphIQL ("Send to GraphiQL")
- Configure the tool by using a custom settings tab
|Author||Andrea Brancaleoni @ Doyensec|
|Last updated||30 June 2021|
You can install BApps directly within Burp, via the BApp Store feature in the Burp Extender tool. You can also download them from here, for offline installation into Burp.
|You can view the source code for this BApp by visiting our GitHub page.|
|Follow @BApp_Store on Twitter to receive notifications of all BApp releases and updates.|
Please note that extensions are written by third party users of Burp, and PortSwigger Web Security makes no warranty about their quality or usefulness for any particular purpose.