Question 1

How do I install InQL on Burp Suite Community Edition?

Accepted Answer

InQL supports both Burp Community and Professional editions. Download the JAR file from GitHub releases or build it from source using Taskfile and Java 17, then load it as a Java extension in Burp's Extender tab.

Question 2

What's the difference between InQL and GraphQL Cop?

Accepted Answer

InQL is a Burp Suite extension focused on deep integration and advanced features like schema bruteforcing and batch attacks, whereas GraphQL Cop is a standalone CLI tool for basic GraphQL security checks. InQL is better for manual, in-depth testing within Burp.

Question 3

How can I use InQL to perform batch GraphQL attacks?

Accepted Answer

Use the Batch Queries tab in InQL to send multiple queries in a single request, which helps test rate limiting implementations. This is designed to circumvent poorly implemented rate limits by overwhelming the server.

Question 4

Can InQL test GraphQL APIs when introspection is disabled?

Accepted Answer

Yes, InQL includes a schema bruteforcer that uses regex pattern matching to recreate the schema even without introspection, based on the Clairvoyance CLI tool. It attempts to discover schema details through iterative requests.

Question 5

How do I customize the scan depth in InQL?

Accepted Answer

In the Scanner tab, you can adjust the depth of generated queries and the number of spaces for indentation to tailor the scan. This allows for focused testing on specific parts of the GraphQL schema.

Question 6

Is InQL compatible with older versions of Burp Suite?

Accepted Answer

No, InQL only supports the most recent version of Burp Suite, as stated in the requirements. Using it with older versions may lead to compatibility issues or broken functionality.

InQL Scanner

What is InQL Scanner?

Overview

Use Cases

Best For

Found a gem we're missing?

Not Ideal For

Pros & Cons

Pros

Cons

Frequently Asked Questions