A security testing tool to facilitate GraphQL technology security auditing efforts. InQL can be used as a stand-alone script, or as a Burp Suite extension.
Running inql
from Python will issue an Introspection query to the target GraphQL endpoint in order fetch metadata information for:
InQL can inspect the introspection query results and generate clean documentation in different formats, such as HTML and JSON schema. InQL is also able to generate templates (with optional placeholders) for all known basic data types.
The resulting HTML documentation page will contain details for all available Queries
, Mutations
, and Subscriptions
as shown here:
The following screenshot shows the use of templates generation:
For all supported options, check the command line help:
usage: inql [-h] [-t TARGET] [-f SCHEMA_JSON_FILE] [-k KEY] [-p PROXY]
[–header HEADERS HEADERS] [-d] [–generate-html]
[–generate-schema] [–generate-queries] [–insecure]
[-o OUTPUT_DIRECTORY]
InQL Scanner
Optional arguments:
-h, –help show this help message and exit
-t TARGET Remote GraphQL Endpoint (https:///graphql)
-f SCHEMA_JSON_FILE Schema file in JSON format
-k KEY API Authentication Key
-p PROXY IP of web proxy to go through (http://127.0.0.1:8080)
–header HEADERS HEADERS
-d Replace known GraphQL arguments types with placeholder values (useful for Burp Suite)
–generate-html Generate HTML Documentation
–generate-schema Generate JSON Schema Documentation
–generate-queries Generate Queries
–insecure Accept any SSL/TLS certificate
-o OUTPUT_DIRECTORY Output Directory
Burp Suite Extension
Since version 1.0 of the tool, InQL was extended to operate within Burp Suite. In this mode, the tool will retain all the capabilities of the stand-alone script plus a handy user interface to manipulate queries.
Using the inql
extension for Burp Suite, you can:
To use inql
in Burp Suite, import the Python extension:
inql_burp.py
release hereinql_burp.py
> NextInQL Scanner Started!
In future, we might consider integrating the extension within the Burp’s BApp Store.
Burp Extension Usage
Getting started with inql
Burp extension is easy:
Credit: Andrea Brancaleoni & Paolo Stagno
Docker is a powerful open-source containerization platform that allows developers to build, test, and deploy…
Docker is one of the most widely used containerization platforms. But there may come a…
Introduction Google Dorking is a technique where advanced search operators are used to uncover information…
Introduction In cybersecurity and IT operations, logging fundamentals form the backbone of monitoring, forensics, and…
What is Networking? Networking brings together devices like computers, servers, routers, and switches so they…
Introduction In the world of Open Source Intelligence (OSINT), anonymity and operational security (OPSEC) are…