GraphQL Security Tester

GraphQL Security Tester generates sophisticated malicious GraphQL test queries for authorized security testing. Features dynamic AI status monitoring, automatic and manual schema introspection, optional RAG integration for enhanced security knowledge, and intelligent query formatting that converts multi-line GraphQL to single-line format for streamlined testing workflows.

Features

Burp AI integration generates malicious query variants targeting SQL injection, authorization bypass, DoS, information disclosure, input validation, NoSQL injection, and rate limiting vulnerabilities
Dual schema extraction via automatic introspection of GraphQL endpoints or manual schema input and parsing
Two generation modes: bulk testing for comprehensive vulnerability coverage or targeted testing to generate malicious variants of specific queries
Custom AI messaging for specialized security guidance and tailored vulnerability analysis
Optional RAG service integration with configurable relevance parameters and smart caching to prevent duplicate operations
Single-line query formatting automatically converts multi-line GraphQL queries for easy testing and integration

Usage

Enable Burp AI features by checking the "Use AI" checkbox in the Extensions → Installed tab
Extract your GraphQL schema by entering the endpoint URL and clicking "Introspect Schema", or paste schema JSON manually and click "Parse Schema"
For targeted testing, paste a specific GraphQL query in the "Target Query/Mutation" field; for comprehensive testing, leave it empty
Specify attack types in the "Test Types" field such as SQL Injection, Authorization Bypass, DoS, Information Disclosure
Click "Generate Malicious Queries" to create AI-powered test cases with detailed attack vector explanations
Optionally use the "Custom Messages" tab to send specific security testing requests directly to Burp AI for specialized guidance
Configure optional RAG integration in the RAG Configuration tab to enhance testing with external security knowledge

Author	Author Nayan Goel, Nandan Gupta
Version	Version 1.0.0
Rating	Rating
Popularity	Popularity
Last updated	Last updated 04 February 2026
Estimated system impact	Estimated system impact Overall impact: Empty Memory Empty CPU Empty General Empty Scanner Empty

Author

Author

Nayan Goel, Nandan Gupta

Version

Version

1.0.0

Rating

Rating

Popularity

Popularity

Last updated

Last updated

04 February 2026

Estimated system impact

Estimated system impact

Overall impact: Empty

Memory

Empty

CPU

Empty

General

Empty

Scanner

Empty

You can install BApps directly within Burp, via the BApp Store feature in the Burp Extender tool. You can also download them from here, for offline installation into Burp.

	You can view the source code for all BApp Store extensions on our GitHub page.
	Follow @BApp_Store on Twitter to receive notifications of all BApp releases and updates.

Please note that extensions are written by third party users of Burp, and PortSwigger Web Security makes no warranty about their quality or usefulness for any particular purpose.

Go back to BappStore

Note:

Please note that extensions are written by third party users of Burp, and PortSwigger Web Security makes no warranty about their quality or usefulness for any particular purpose.