InQL is a security testing tool to facilitate GraphQL technology security auditing efforts. InQL can be used as a stand-alone script or as a Burp Suite extension.
InQL Stand-Alone CLI
Running inql
from Python will issue an Introspection query to the target GraphQL endpoint in order fetch metadata information for:
InQL can inspect the introspection query results and generate clean documentation in different formats such as HTML and JSON schema. InQL is also able to generate templates (with optional placeholders) for all known basic data types.
For all supported options, check the command line help:
Usage: inql [-h] [–nogui] [-t TARGET] [-f SCHEMA_JSON_FILE] [-k KEY]
[-p PROXY] [–header HEADERS HEADERS] [-d] [–generate-html]
[–generate-schema] [–generate-queries] [–insecure]
[-o OUTPUT_DIRECTORY]
InQL Scanner
Optional Arguments:
-h, –help show this help message and exit
–nogui Start InQL Without Standalone GUI [Jython-only]
-t TARGET Remote GraphQL Endpoint (https:///graphql)
-f SCHEMA_JSON_FILE Schema file in JSON format
-k KEY API Authentication Key
-p PROXY IP of web proxy to go through (http://127.0.0.1:8080)
–header HEADERS HEADERS
-d Replace known GraphQL arguments types with placeholder
values (useful for Burp Suite)
–generate-html Generate HTML Documentation
–generate-schema Generate JSON Schema Documentation
–generate-queries Generate Queries
–insecure Accept any SSL/TLS certificate
-o OUTPUT_DIRECTORY Output Directory
InQL Burp Suite Extension
Since version 1.0.0 of the tool, InQL was extended to operate within Burp Suite. In this mode, the tool will retain all the capabilities of the stand-alone script and add a handy user interface for manipulating queries.
Using the inql
extension for Burp Suite, you can:
To use inql
in Burp Suite, import the Python extension:
inql_burp.py
release hereinql_burp.py
> NextInQL Scanner Started!
In the future we might consider integrating the extension within Burp’s BApp Store.
Burp Extension Usage
Getting started with the inql
Burp extension is easy:
InQL Stand-Alone UI
Since version 2.0.0, InQL UI is now able to operate without requiring BURP. It is now possible to install InQL stand-alone for jython
and run the Scanner UI.
In this mode InQL maintains most of the Burp Scanner capabilities with the exception of advanced interactions such as “Send To Repeater” and automatic authorization header generation, available through BURP.
To use inql
stand-alone UI:
brew install jython
or on Ubuntu derivates through apt-get install -y jython
jython -m pip install inql
jython -m inql
InQL Documentation Generator
In either BURP or in Stand-Alone mode, InQL is able to generate meaningful documentation for available GraphQL entities. Results are available as HTML pages or query templates.
The resulting HTML documentation page will contain details for all available Queries
, Mutations
, and Subscriptions
as shown here:
The following screenshot shows the use of templates generation:
Prepare to take your Among Us gaming experience to the next level with the latest…
WormGPT is a malicious AI tool promoted on the dark web as the adversary of…
Welcome to the world of Facebook_hack, a potent tool designed for educational purposes to showcase…
Step into the realm of ethical hacking with HackerToolkit, your ultimate resource for penetration testing,…
Bienvenidos a este espacio donde compartiré artículos relacionados a la Ciberseguridad y Hacking en general.…
Burrow is an open source tool for burrowing through firewalls, built by teenagers at Hack Club.…