1. Support Center
  2. BApp Store
  3. GraphQL Raider

GraphQL Raider


GraphQL Raider is a Burp Suite Extension for testing endpoints implementing GraphQL.


Display and Editor

The gql query and variables are extracted from the unreadable json body and displayed in separate tabs.

While intercepting or resending you can manipulate the gql query and variables inside the gql tab and the message will be correctly send.

Scanner Insertion Points

Not only the variables are extracted as insertion point for the scanner. Furthermore the values inside the query are also extracted as insertion point for the scanner.

The detected insertion points are displayed for information and better transparency inside the qgl tab of a message

Insertion points are used by active scanner to insert the payloads for detecting vulnerabilities. The custom gql insertion points helps the active scanner to position the payloads at the correct place inside of a gql query.


GraphQL is a query language for APIs and a runtime for fulfilling those queries with your existing data


Serving over HTTP



GraphQL query should be specified in the "query" query string.



JSON-encoded body

  "query": "...",
  "operationName": "...",
  "variables": { "myVariable": "someValue", ... }
Author Dennis Kniep
Version 1.0.0-17
Last updated 12 August 2019

You can install BApps directly within Burp, via the BApp Store feature in the Burp Extender tool. You can also download them from here, for offline installation into Burp.

You can view the source code for this BApp by visiting our GitHub page.
Follow @BApp_Store on Twitter to receive notifications of all BApp releases and updates.
Download BApp

Please note that extensions are written by third party users of Burp, and PortSwigger Web Security makes no warranty about their quality or usefulness for any particular purpose.

Go back to BappStore