DEV.co
Open-Source Security · doyensec

inql

InQL is a Burp Suite extension written in Kotlin that automates GraphQL security testing by generating queries, detecting vulnerabilities, and analyzing schema introspection. It integrates directly into Burp's interface and supports both Professional and Community editions.

Source: GitHub — github.com/doyensec/inql
1.8k
GitHub stars
187
Forks
Kotlin
Primary language
Apache-2.0
License (OSI-approved)

Key facts

Objective fields from the source. Values we can't verify are shown as “Unknown” rather than guessed.

FieldValue
Repositorydoyensec/inql
Ownerdoyensec
Primary languageKotlin
LicenseApache-2.0 — OSI-approved
Stars1.8k
Forks187
Open issues30
Latest releasev6.1.2 (2026-02-16)
Last updated2026-06-17
Sourcehttps://github.com/doyensec/inql

What inql is

InQL is a Java extension (Montoya API) for Burp Suite that auto-generates GraphQL queries and mutations from introspection schemas, performs Points of Interest vulnerability scanning, detects circular references, and includes batch query execution and schema bruteforcing capabilities when introspection is disabled.

Quickstart

Get the inql source

Clone the repository and explore it locally.

terminalbash
git clone https://github.com/doyensec/inql.gitcd inql# follow the project's README for install & configuration

Need it deployed, integrated, or customized instead? DEV.co ships production installs.

Best use cases

GraphQL API Security Assessment

Use InQL to systematically test GraphQL endpoints during penetration tests or security audits, leveraging auto-generated queries and Points of Interest scanning to identify schema-level vulnerabilities without manual query crafting.

Bug Bounty Reconnaissance

Rapidly enumerate GraphQL schema details and generate payloads for scope enumeration and vulnerability discovery in bug bounty programs, with batch query capabilities to test rate-limit bypasses.

Schema Introspection Analysis and Fingerprinting

Analyze GraphQL schemas to detect circular references, engine fingerprint backend technologies, and identify sensitive fields or mutation patterns that warrant deeper testing.

Implementation considerations

  • Requires Java 17+ runtime; ensure Burp environment meets this baseline before deployment.
  • Build from source using Taskfile and Kotlin toolchain; pre-built releases available but require manual JAR loading into Burp.
  • Custom headers and domain auto-population require active traffic observation; configure domains and headers per scope before scan execution.
  • Points of Interest and circular reference detection depend on schema completeness; results may be incomplete if introspection is restricted or returns partial schema.
  • Batch query execution can trigger rate limiting or WAF rules; test in controlled environments and verify payload safety before production use.

When to avoid it — and what to weigh

  • REST-only API Testing — InQL is GraphQL-specific and offers no value for REST, gRPC, or other non-GraphQL API protocols. Use different tools if your target environment does not expose GraphQL endpoints.
  • Burp Suite Not in Your Workflow — InQL requires Burp Suite (Professional or Community). If you rely on other proxies or testing frameworks, this extension will not integrate into your pipeline.
  • Java 16 or Older — The Montoya API requires Java 17+. Environments locked to older Java versions cannot load or run this extension.
  • Fully Automated, Hands-Off Scanning — InQL requires active interaction to configure scans, interpret results, and correlate findings with business logic. It is not a push-button DAST tool and demands security expertise for effective use.

License & commercial use

Licensed under Apache License 2.0 (Apache-2.0), a permissive open-source license that permits commercial use, modification, and distribution with minimal restrictions. Full license text available at https://opensource.org/licenses/Apache-2.0.

Apache-2.0 is a permissive OSI-approved license that explicitly permits commercial use. No license restrictions apply to using InQL in commercial security operations, consulting, or product bundles. Retain copyright and license notices as per Apache-2.0 terms.

DEV.co evaluation signals

Editorial assessment — not user reviews. Directional, with an explicit confidence level.

SignalAssessment
MaintenanceActive
DocumentationAdequate
License clarityClear
Deployment complexityLow
DEV.co fitGood
Assessment confidenceHigh
Security considerations

InQL is a security testing tool designed to identify vulnerabilities in GraphQL endpoints. Security posture considerations: (1) tool operates within Burp's process; (2) custom headers and domain configuration must be protected to avoid credential leakage in logs or saved state; (3) batch queries and schema bruteforcing can trigger IDS/WAF alerts or DoS if not rate-limited; (4) no formal security audit data provided; (5) consult latest project issues and releases for reported vulnerabilities or mitigations.

Alternatives to consider

GraphQL Threat Matrix / Escape GraphQL

Standalone GraphQL security testing frameworks not bound to Burp; suitable if you need language-agnostic or non-proxy-based GraphQL auditing.

Burp Scanner's Native GraphQL Support

Newer Burp versions include built-in GraphQL detection and basic scanning; consider if you want integrated, vendor-supported scanning without third-party extensions.

Clairvoyance (CLI)

Standalone schema bruteforcer on which InQL's bruteforcer is based; choose if you need command-line-only introspection circumvention without Burp integration.

Software development agency

Build on inql with DEV.co software developers

Integrate InQL into your Burp Suite workflow to systematically test GraphQL APIs. Download the extension, build from source, or consult Doyensec's documentation for deployment guidance.

Talk to DEV.co

Related open-source tools

Surfaced by semantic similarity across the DEV.co open-source index.

Related on DEV.co

Explore the category and the services that help you build with it.

inql FAQ

Does InQL work with Burp Community edition?
Yes, InQL supports both Burp Professional and Community editions. Ensure Java 17+ is installed and the JAR is loaded as a Java extension.
Can I use InQL for automated, unattended scanning?
Not fully. InQL requires active configuration, result interpretation, and manual adjustment of scan parameters. It is best suited for interactive security testing workflows, not headless automation.
What is the difference between Points of Interest and circular reference detection?
Points of Interest scanning detects potential vulnerabilities in schema structure (e.g., overly permissive fields, sensitive mutations). Circular reference detection identifies recursive or self-referential types that may enable infinite query attacks or DoS.
Does InQL support authentication or API key injection?
Yes, via custom headers per domain. Headers are configured in the InQL UI and auto-populated from observed Burp traffic; use this to inject Bearer tokens, API keys, or session cookies before scan execution.

Software development & web development with DEV.co

Adopting inql is usually one piece of a larger software development effort. As a software development agency, DEV.co provides software development services and web development expertise — pairing senior software developers and web developers with your team to design, build, and operate open-source security software in production.

Strengthen Your GraphQL Security Testing

Integrate InQL into your Burp Suite workflow to systematically test GraphQL APIs. Download the extension, build from source, or consult Doyensec's documentation for deployment guidance.