A security testing tool to facilitate GraphQL technology security auditing efforts. InQL can be used as a stand-alone script, or as a Burp Suite extension.
Running inql
from Python will issue an Introspection query to the target GraphQL endpoint in order fetch metadata information for:
InQL can inspect the introspection query results and generate clean documentation in different formats, such as HTML and JSON schema. InQL is also able to generate templates (with optional placeholders) for all known basic data types.
The resulting HTML documentation page will contain details for all available Queries
, Mutations
, and Subscriptions
as shown here:
The following screenshot shows the use of templates generation:
For all supported options, check the command line help:
usage: inql [-h] [-t TARGET] [-f SCHEMA_JSON_FILE] [-k KEY] [-p PROXY]
[–header HEADERS HEADERS] [-d] [–generate-html]
[–generate-schema] [–generate-queries] [–insecure]
[-o OUTPUT_DIRECTORY]
InQL Scanner
Optional arguments:
-h, –help show this help message and exit
-t TARGET Remote GraphQL Endpoint (https:///graphql)
-f SCHEMA_JSON_FILE Schema file in JSON format
-k KEY API Authentication Key
-p PROXY IP of web proxy to go through (http://127.0.0.1:8080)
–header HEADERS HEADERS
-d Replace known GraphQL arguments types with placeholder values (useful for Burp Suite)
–generate-html Generate HTML Documentation
–generate-schema Generate JSON Schema Documentation
–generate-queries Generate Queries
–insecure Accept any SSL/TLS certificate
-o OUTPUT_DIRECTORY Output Directory
Burp Suite Extension
Since version 1.0 of the tool, InQL was extended to operate within Burp Suite. In this mode, the tool will retain all the capabilities of the stand-alone script plus a handy user interface to manipulate queries.
Using the inql
extension for Burp Suite, you can:
To use inql
in Burp Suite, import the Python extension:
inql_burp.py
release hereinql_burp.py
> NextInQL Scanner Started!
In future, we might consider integrating the extension within the Burp’s BApp Store.
Burp Extension Usage
Getting started with inql
Burp extension is easy:
Credit: Andrea Brancaleoni & Paolo Stagno
Playwright-MCP (Model Context Protocol) is a cutting-edge tool designed to bridge the gap between AI…
JBDev is a specialized development tool designed to streamline the creation and debugging of jailbreak…
The Kereva LLM Code Scanner is an innovative static analysis tool tailored for Python applications…
Nuclei-Templates-Labs is a dynamic and comprehensive repository designed for security researchers, learners, and organizations to…
SSH-Stealer and RunAs-Stealer are malicious tools designed to stealthily harvest SSH credentials, enabling attackers to…
Control flow flattening is a common obfuscation technique used by OLLVM (Obfuscator-LLVM) to transform executable…