Question 1

How to test for IDOR vulnerabilities with GraphQLer?

Accepted Answer

Use the --idor-auth flag with a secondary token during compile mode to generate IDOR chains, then run fuzz mode for automatic detection, with results saved in the detections folder as described in the IDOR section.

Question 2

GraphQLer vs other GraphQL security tools like GraphQLmap?

Accepted Answer

GraphQLer focuses on dependency-aware fuzzing and automated IDOR detection, building realistic attack chains, while tools like GraphQLmap are more for basic enumeration and injection, making GraphQLer better for complex, context-aware testing.

Question 3

Can GraphQLer handle GraphQL subscriptions?

Accepted Answer

Yes, but it's disabled by default; enable with the --subscriptions flag, though this requires WebSocket support on the target API, as noted in the usage options.

Question 4

How to integrate GraphQLer into a CI/CD pipeline?

Accepted Answer

Use command-line modes like run with config files to automate testing, but monitor resource usage since fuzzing can be intensive, and output logs provide detailed results for reporting.

Question 5

What if my GraphQL API has introspection disabled?

Accepted Answer

GraphQLer cannot function without introspection unless you manually provide the schema, which isn't supported out-of-the-box, limiting its applicability in such cases.

Question 6

How to use custom plugins with GraphQLer?

Accepted Answer

Implement plugins in a directory specified by --plugins-path for custom authentication or other extensions, as mentioned in the plugins section of the README.

GraphQLer

What is GraphQLer?

Overview

Use Cases

Best For

Related Projects

Found a gem we're missing?

Not Ideal For

Pros & Cons

Pros

Cons

Frequently Asked Questions