InQL – A Burp Extension For GraphQL Security Testing
To use inql
in Burp Suite, import the Python extension:
- Download the Jython Jar
- Start Burp Suite
- Extender Tab > Options > Python Enviroment > Set the location of Jython standalone JAR
- Extender Tab > Extension > Add > Extension Type > Select Python
- Download the latest
inql_burp.py
release here - Extension File > Set the location of
inql_burp.py
> Next - The output should now show the following message:
InQL Scanner Started!
In the future we might consider integrating the extension within Burp’s BApp Store.
Burp Extension Usage
Getting started with the inql
Burp extension is easy:
- Load a GraphQL endpoint or a JSON schema file location inside the top input field
- Press the “Load” button
- After few seconds, the left panel will refresh loading the directory structure for the selected endpoint as in the following example:
- url
- query
- timestamp 1
- query1.query
- query2.query
- timestamp 2
- query1.query
- query2.query
- mutation
- subscription
- Selecting any query/mutation/subscription will load the corresponding template in the main text area
InQL Stand-Alone UI
Since version 2.0.0, InQL UI is now able to operate without requiring BURP. It is now possible to install InQL stand-alone for jython
and run the Scanner UI.
In this mode InQL maintains most of the Burp Scanner capabilities with the exception of advanced interactions such as “Send To Repeater” and automatic authorization header generation, available through BURP.
To use inql
stand-alone UI:
- Download and Install Jython. This can be obtained on macOS through brew
brew install jython
or on Ubuntu derivates throughapt-get install -y jython
- Install inql through pip with
jython -m pip install inql
- Start the UI through jython with
jython -m inql
InQL Documentation Generator
In either BURP or in Stand-Alone mode, InQL is able to generate meaningful documentation for available GraphQL entities. Results are available as HTML pages or query templates.
The resulting HTML documentation page will contain details for all available Queries
, Mutations
, and Subscriptions
as shown here:
The following screenshot shows the use of templates generation:
Credits
Author and Maintainer: Andrea Brancaleoni (@nJoyneer – thypon)
This project was made with love in Doyensec Research island.