inql
InQL is a Burp Suite extension written in Kotlin that automates GraphQL security testing by generating queries, detecting vulnerabilities, and analyzing schema introspection. It integrates directly into Burp's interface and supports both Professional and Community editions.
Key facts
Objective fields from the source. Values we can't verify are shown as “Unknown” rather than guessed.
| Field | Value |
|---|---|
| Repository | doyensec/inql |
| Owner | doyensec |
| Primary language | Kotlin |
| License | Apache-2.0 — OSI-approved |
| Stars | 1.8k |
| Forks | 187 |
| Open issues | 30 |
| Latest release | v6.1.2 (2026-02-16) |
| Last updated | 2026-06-17 |
| Source | https://github.com/doyensec/inql |
What inql is
InQL is a Java extension (Montoya API) for Burp Suite that auto-generates GraphQL queries and mutations from introspection schemas, performs Points of Interest vulnerability scanning, detects circular references, and includes batch query execution and schema bruteforcing capabilities when introspection is disabled.
Get the inql source
Clone the repository and explore it locally.
git clone https://github.com/doyensec/inql.gitcd inql# follow the project's README for install & configurationNeed it deployed, integrated, or customized instead? DEV.co ships production installs.
Best use cases
Implementation considerations
- Requires Java 17+ runtime; ensure Burp environment meets this baseline before deployment.
- Build from source using Taskfile and Kotlin toolchain; pre-built releases available but require manual JAR loading into Burp.
- Custom headers and domain auto-population require active traffic observation; configure domains and headers per scope before scan execution.
- Points of Interest and circular reference detection depend on schema completeness; results may be incomplete if introspection is restricted or returns partial schema.
- Batch query execution can trigger rate limiting or WAF rules; test in controlled environments and verify payload safety before production use.
When to avoid it — and what to weigh
- REST-only API Testing — InQL is GraphQL-specific and offers no value for REST, gRPC, or other non-GraphQL API protocols. Use different tools if your target environment does not expose GraphQL endpoints.
- Burp Suite Not in Your Workflow — InQL requires Burp Suite (Professional or Community). If you rely on other proxies or testing frameworks, this extension will not integrate into your pipeline.
- Java 16 or Older — The Montoya API requires Java 17+. Environments locked to older Java versions cannot load or run this extension.
- Fully Automated, Hands-Off Scanning — InQL requires active interaction to configure scans, interpret results, and correlate findings with business logic. It is not a push-button DAST tool and demands security expertise for effective use.
License & commercial use
Licensed under Apache License 2.0 (Apache-2.0), a permissive open-source license that permits commercial use, modification, and distribution with minimal restrictions. Full license text available at https://opensource.org/licenses/Apache-2.0.
Apache-2.0 is a permissive OSI-approved license that explicitly permits commercial use. No license restrictions apply to using InQL in commercial security operations, consulting, or product bundles. Retain copyright and license notices as per Apache-2.0 terms.
DEV.co evaluation signals
Editorial assessment — not user reviews. Directional, with an explicit confidence level.
| Signal | Assessment |
|---|---|
| Maintenance | Active |
| Documentation | Adequate |
| License clarity | Clear |
| Deployment complexity | Low |
| DEV.co fit | Good |
| Assessment confidence | High |
InQL is a security testing tool designed to identify vulnerabilities in GraphQL endpoints. Security posture considerations: (1) tool operates within Burp's process; (2) custom headers and domain configuration must be protected to avoid credential leakage in logs or saved state; (3) batch queries and schema bruteforcing can trigger IDS/WAF alerts or DoS if not rate-limited; (4) no formal security audit data provided; (5) consult latest project issues and releases for reported vulnerabilities or mitigations.
Alternatives to consider
GraphQL Threat Matrix / Escape GraphQL
Standalone GraphQL security testing frameworks not bound to Burp; suitable if you need language-agnostic or non-proxy-based GraphQL auditing.
Burp Scanner's Native GraphQL Support
Newer Burp versions include built-in GraphQL detection and basic scanning; consider if you want integrated, vendor-supported scanning without third-party extensions.
Clairvoyance (CLI)
Standalone schema bruteforcer on which InQL's bruteforcer is based; choose if you need command-line-only introspection circumvention without Burp integration.
Build on inql with DEV.co software developers
Integrate InQL into your Burp Suite workflow to systematically test GraphQL APIs. Download the extension, build from source, or consult Doyensec's documentation for deployment guidance.
Talk to DEV.coRelated open-source tools
Surfaced by semantic similarity across the DEV.co open-source index.
Related on DEV.co
Explore the category and the services that help you build with it.
inql FAQ
Does InQL work with Burp Community edition?
Can I use InQL for automated, unattended scanning?
What is the difference between Points of Interest and circular reference detection?
Does InQL support authentication or API key injection?
Software development & web development with DEV.co
Adopting inql is usually one piece of a larger software development effort. As a software development agency, DEV.co provides software development services and web development expertise — pairing senior software developers and web developers with your team to design, build, and operate open-source security software in production.
Strengthen Your GraphQL Security Testing
Integrate InQL into your Burp Suite workflow to systematically test GraphQL APIs. Download the extension, build from source, or consult Doyensec's documentation for deployment guidance.