InQL - GraphQL Scanner

This Burp extension is designed to assist in your GraphQL security testing efforts.

The main tool provided by InQL v5.0 is a customizable scanner to analyze a GraphQL endpoint or a local introspection schema file. It generates all possible queries and mutations, presenting them in an organized view for thorough analysis. Scanner results can be sent to Burp's Repeater or Intruder tools for further testing.

Here are some other features that make InQL v5.0 an indispensable tool for your auditing needs:

• Points of interest analysis for identification of PII, authentication, authorization, and other sensitive data in GraphQL schema.
• The new Attacker component for batch GraphQL attacks, handy for testing rate limit bypasses and DoS vectors.
• Identification of GraphQL endpoints and development console such as GraphiQL, GraphQL Playground, etc.
• Integration of a custom GraphQL tab in Burp's native HTTP message editor, visualizing GraphQL payload.
• Configuration of the tool via a custom settings tab for more precise control.

InQL v5.0 introduces GQLSpection, a powerful successor to the standalone and CLI modes found in previous versions. GQLSpection is a versatile CLI tool and a Python 2/3/Jython compatible library that sends introspection queries, parses results, generates queries and runs Points of Interest scans in a headless mode.

Happy testing and stay tuned for more updates!