Log in to GraphQL EditorGet started
InQL Scanner - find security flaws in your GraphQL code
Jakub

Jakub Chomko

4/10/2020

InQL Scanner - find security flaws in your GraphQL code

If you’ve ever struggled to find vulnerabilities in your GraphQL code, this tool should be able to help. InQL Scanner, developed by Doyensec Research Island initially for their internal use, is now free to use and available on GitHub. InQL Scanner is a stand-alone security tool, but its use can broaden by using it as a Burp Suite extension. It enables you to quickly extract and inspect metadata information. You can then more easily identify security issues which due to the descriptive nature of GraphQL would be otherwise hard to detect.

What does it do?

Using InQL command from Python will result in issuing an Introspection query for queries, mutations, and subscriptions, as well as their respective fields and arguments. Optional arguments include targeting Remote GraphQL Endpoints, accessing API Authentication Key, replacing known GraphQL argument types with placeholder values, and generating documentation. The results can be generated in HTML or JSON schema formats.

Secure your GraphQL code

Source: undraw.co

Burp Suite Extension

As Doyensec is considering integrating InQL with Burp’s BApp Store, it is good to have a closer look at the functionality of the extension. According to the creators of the scanner, it enables you to:

  • Search for known GraphQL URL paths; the tool will grep and match known values to detect GraphQL endpoints within the target website,
  • Search for exposed GraphQL development consoles (GraphiQL, GraphQL Playground, and other common utilities),
  • Use a custom GraphQL tab displayed on each HTTP request/response containing GraphQL,
  • Leverage the template generation by sending those requests to Burp’s Repeater tool,
  • Configure the tool by using a custom settings tab,

while maintaining the basic functionality of the tool described in the last paragraph. Instructions on how to use the tool, examples of documentation pages, and templates generation are available on InQL GitHub page.

Are there any downsides?

InQL is definitely worth trying out and running your code through it. InQL Scanner itself is a handy tool, however, its functionality seems to be limited in the stand-alone version. Using it as a Burp Suite extension significantly increases the scope of the tool’s functionality. And if you’re not satisfied with Burp’s essential manual tools, acquiring an extended license will cost you ~ €349 per user, per year. As GraphQL is rapidly growing in popularity, we should expect that there will be more and more people taking advantage of its limitations. Securing your code may be a good investment now before the frequency and severity of the attacks against it increases.

Check out our other blogposts

Communication with GraphQL Server in JS with Pokemon Schema
Artur Czemiel
Artur Czemiel
Communication with GraphQL Server in JS with Pokemon Schema
3 min read
over 5 years ago
Zeus update - GraphQL spread operator
Michał Tyszkiewicz
Michał Tyszkiewicz
Zeus update - GraphQL spread operator
3 min read
about 1 month ago
VUE - a short overview
Michał Tyszkiewicz
Michał Tyszkiewicz
VUE - a short overview
5 min read
almost 4 years ago

Ready for take-off?

Elevate your work with our editor that combines world-class visual graph, documentation and API console

Get Started with GraphQL Editor