InQL Scanner

InQL is now public!

As a part of our continuing security research journey, we started developing an internal tool to speed-up GraphQL security testing efforts. We’re excited to announce that InQL is available on Github.

InQL can be used as a stand-alone script, or as a Burp Suite extension (available for both Professional and Community editions). The tool leverages GraphQL built-in introspection query to dump queries, mutations, subscriptions, fields, arguments and retrieve default and custom objects. This information is collected and then processed to construct API endpoints documentation in the form of HTML and JSON schema. InQL is also able to generate query templates for all the known types. The scanner has the ability to identify basic query types and replace them with placeholders that will render the query ready to be ingested by a remote API endpoint.

We believe this feature, combined with the ability to send query templates to Burp’s Repeater, will decrease the time to exploit vulnerabilities in GraphQL endpoints and drastically lower the bar for security research against GraphQL tech stacks.

InQL Scanner Burp Suite Extension

Using the inql extension for Burp Suite, you can:

Search for known GraphQL URL paths; the tool will grep and match known values to detect GraphQL endpoints within the target website

Search for exposed GraphQL development consoles (GraphiQL, GraphQL Playground, and other common utilities)

Use a custom GraphQL tab displayed on each HTTP request/response containing GraphQL

Leverage the template generation by sending those requests to Burp’s Repeater tool

Configure the tool by using a custom settings tab

Your browser does not support the video tag.

Enabling InQL Scanner Extension in Burp

To use inql in Burp Suite, import the Python extension:

Download the latest Jython Jar

Download the latest version of InQL scanner

Start Burp Suite

Extender Tab > Options > Python Enviroment > Set the location of Jython standalone JAR

Extender Tab > Extension > Add > Extension Type > Select Python

Extension File > Set the location of inql_burp.py > Next

> Next The output window should display the following message: InQL Scanner Started!

In the next future, we might consider integrating the extension within Burp’s BApp Store.

InQL Demo

We completely revamped the command line interface in light of InQL’s public release. This interface retains most of the Burp plugin functionalities.

It is now possible to install the tool with pip and run it through your favorite CLI.

pip install inql

For all supported options, check the command line help:

usage: inql [ -h ] [ -t TARGET] [ -f SCHEMA_JSON_FILE] [ -k KEY] [ -p PROXY] [ --header HEADERS HEADERS] [ -d ] [ --generate-html ] [ --generate-schema ] [ --generate-queries ] [ --insecure ] [ -o OUTPUT_DIRECTORY] InQL Scanner optional arguments: -h , --help show this help message and exit -t TARGET Remote GraphQL Endpoint ( https://<Target_IP>/graphql ) -f SCHEMA_JSON_FILE Schema file in JSON format -k KEY API Authentication Key -p PROXY IP of web proxy to go through ( http://127.0.0.1:8080 ) --header HEADERS HEADERS -d Replace known GraphQL arguments types with placeholder values ( useful for Burp Suite ) --generate-html Generate HTML Documentation --generate-schema Generate JSON Schema Documentation --generate-queries Generate Queries --insecure Accept any SSL/TLS certificate -o OUTPUT_DIRECTORY Output Directory

An example query can be performed on one of the numerous exposed APIs, e.g anilist.co endpoints:

$ $ inql -t https://anilist.co/graphql [ +] Writing Queries Templates | Page | Media | MediaTrend | AiringSchedule | Character | Staff | MediaList | MediaListCollection | GenreCollection | MediaTagCollection | User | Viewer | Notification | Studio | Review | Activity | ActivityReply | Following | Follower | Thread | ThreadComment | Recommendation | Like | Markdown | AniChartUser | SiteStatistics [ +] Writing Queries Templates | UpdateUser | SaveMediaListEntry | UpdateMediaListEntries | DeleteMediaListEntry | DeleteCustomList | SaveTextActivity | SaveMessageActivity | SaveListActivity | DeleteActivity | ToggleActivitySubscription | SaveActivityReply | DeleteActivityReply | ToggleLike | ToggleLikeV2 | ToggleFollow | ToggleFavourite | UpdateFavouriteOrder | SaveReview | DeleteReview | RateReview | SaveRecommendation | SaveThread | DeleteThread | ToggleThreadSubscription | SaveThreadComment | DeleteThreadComment | UpdateAniChartSettings | UpdateAniChartHighlights [ +] Writing Queries Templates [ +] Writing Queries Templates

The resulting HTML documentation page will contain details for all available queries, mutations, and subscriptions.

Stay tuned!

Back in May 2018, we published a blog post on GraphQL security where we focused on vulnerabilities and misconfigurations. As part of that research effort, we developed a simple script to query GraphQL endpoints. After the publication, we received a lot of positive feedbacks that sparked even more interest in further developing the concept. Since then, we have refined our GraphQL testing methodologies and tooling. As part of our standard customer engagements, we often perform testing against GraphQL technologies, hence we expect to continue our research efforts in this space. Going forward, we will keep improving detection and make the tool more stable.

This project was made with love in the Doyensec Research island.