GraphQL Introspection Testing with Burp Suite InQL Extension

calendar_today January 28, 2026 schedule 10 min read person Red Badger Security Team

GraphQL APIs are increasingly popular, but many developers leave introspection enabled in production, exposing their entire API schema to attackers. Learn how to identify and exploit GraphQL introspection vulnerabilities using Burp Suite's InQL extension.

What is GraphQL?

GraphQL is a query language and runtime for APIs developed by Facebook. Unlike REST APIs with multiple endpoints, GraphQL uses a single endpoint where clients specify exactly what data they need.

Key Features of GraphQL

Single Endpoint: All requests go to one URL (typically /graphql)
Flexible Queries: Clients request only the fields they need
Strongly Typed Schema: API schema defines available types and operations
Real-time Updates: Subscriptions enable push-based data

Example GraphQL Query

                    {
  user(id: "123") {
    name
    email
    posts {
      title
      content
    }
  }
}
                

Understanding GraphQL Introspection

Introspection is a GraphQL feature that allows clients to query the schema itself, discovering all available types, fields, queries, and mutations.

What is Introspection Used For?

Auto-generating API documentation
Building GraphQL IDE tools (GraphiQL, GraphQL Playground)
Client-side code generation
Schema validation during development

Basic Introspection Query

                    {
  __schema {
    types {
      name
      kind
      description
      fields {
        name
        type {
          name
        }
      }
    }
  }
}
                

This query returns the entire API schema, including all types, fields, and their relationships.

Security Risks of Enabled Introspection

Leaving introspection enabled in production environments is a major security misconfiguration. Here's why:

Information Disclosure

Complete API Mapping: Attackers can enumerate all queries, mutations, and fields
Hidden Endpoints: Discover admin-only or internal functionality
Data Structure: Understand database schema and relationships
Business Logic: Infer application workflow and processes

Attack Surface Expansion

With full schema knowledge, attackers can:

Identify sensitive fields (passwords, tokens, API keys)
Find deprecated or undocumented mutations
Discover privilege escalation opportunities
Craft targeted injection attacks
Exploit business logic flaws

Real-World Impact

⚠️ Real Case: In 2020, a major social media platform exposed sensitive user data through an introspection-enabled GraphQL endpoint. Attackers discovered internal admin mutations that bypassed authorization checks, leading to unauthorized access to millions of user records.

Installing Burp Suite InQL Extension

InQL (Introspection GraphQL Scanner) is a Burp Suite extension that automates GraphQL introspection testing and exploitation.

Installation Steps

Open Burp Suite (Professional or Community Edition)
Navigate to Extender → BApp Store
Search for "InQL Scanner"
Click Install
Verify installation in the InQL tab

Alternative: Manual Installation

                    # Clone the repository
git clone https://github.com/doyensec/inql
cd inql

# Load as Burp extension
# In Burp: Extender → Extensions → Add
# Select: inql/burp/inql_burp.py
                

Key Features of InQL

Automatic introspection query detection
Schema visualization and exploration
Query/mutation template generation
Repeater integration for testing
Scanner for common GraphQL vulnerabilities

Testing Workflow with InQL

Step 1: Identify GraphQL Endpoints

GraphQL endpoints are typically located at:

/graphql
/api/graphql
/v1/graphql
/query
/api

Look for POST requests with Content-Type: application/json containing query/mutation fields.

Step 2: Test for Introspection

Send a basic introspection query to check if it's enabled:

                    POST /graphql HTTP/1.1
Host: target.com
Content-Type: application/json

{
  "query": "{ __schema { queryType { name } } }"
}
                

If successful, you'll receive schema information. If disabled, you'll see an error like "GraphQL introspection is not allowed".

Step 3: Load Schema into InQL

Right-click the GraphQL request in Burp Proxy or Repeater
Select "Send to InQL Scanner"
InQL will automatically run introspection and parse the schema
View results in the InQL tab

Step 4: Explore the Schema

InQL provides an interactive schema viewer showing:

Queries: All available read operations
Mutations: All available write operations
Types: Custom data types and their fields
Subscriptions: Real-time data streams

Step 5: Generate Query Templates

InQL automatically generates ready-to-use query templates for every field:

                    # Generated template for user query
query GetUser {
  user(id: "FUZZ_STRING") {
    id
    username
    email
    role
    isAdmin
    apiKey
    createdAt
  }
}
                

Step 6: Test Each Endpoint

Send generated queries to Burp Repeater and test for:

Missing authorization checks
Insecure Direct Object References (IDOR)
SQL injection in arguments
Sensitive data exposure
Rate limiting bypass

Exploitation Techniques

1. Finding Admin-Only Mutations

Look for mutations that suggest privileged operations:

                    mutation {
  deleteUser(id: "123")
  updateUserRole(id: "123", role: "admin")
  createApiKey(userId: "123")
  executeCommand(cmd: "whoami")
}
                

Test these mutations even if your current user doesn't have access—authorization might be missing.

2. IDOR via Introspection

Example scenario: Discover a query that exposes user data:

                    query {
  user(id: "1") {
    email
    password  # Hashed password exposed!
    ssn
    creditCard
  }
}
                

Test by iterating through user IDs: 1, 2, 3, etc.

3. Batch Query Attacks

GraphQL allows multiple queries in one request, enabling batch attacks:

                    {
  user1: user(id: "1") { email }
  user2: user(id: "2") { email }
  user3: user(id: "3") { email }
  # ... repeat 1000 times
  user1000: user(id: "1000") { email }
}
                

This bypasses rate limiting and extracts data rapidly.

4. Query Depth Exploitation

Craft deeply nested queries to cause DoS:

                    {
  user {
    posts {
      comments {
        author {
          posts {
            comments {
              # Continue nesting...
            }
          }
        }
      }
    }
  }
}
                

5. Field Duplication Attack

                    {
  user {
    # Duplicate field 10,000 times
    name name name name name ...
  }
}
                

This amplifies server load exponentially.

Mitigation Strategies

1. Disable Introspection in Production

Most GraphQL implementations allow disabling introspection:

Apollo Server (Node.js)

                    const server = new ApolloServer({
  typeDefs,
  resolvers,
  introspection: process.env.NODE_ENV !== 'production'
});
                

GraphQL-Java

                    GraphQL graphQL = GraphQL.newGraphQL(schema)
    .defaultDataFetcherExceptionHandler(customHandler)
    .queryExecutionStrategy(new AsyncExecutionStrategy())
    .build();

// Disable __schema and __type queries via custom validation
                

GraphQL-Python (Graphene)

                    from graphql.validation import NoSchemaIntrospectionCustomRule

schema = graphene.Schema(query=Query)
middleware = [NoSchemaIntrospectionCustomRule]
                

2. Implement Query Complexity Limits

Prevent DoS attacks by limiting query complexity:

Maximum query depth (e.g., 5 levels)
Maximum field count per query (e.g., 50 fields)
Query cost analysis (assign cost to each field)
Timeout limits (e.g., 5 seconds per query)

3. Authentication & Authorization

Field-Level Authorization: Check permissions for each field
Resolver-Level Checks: Validate access in every resolver function
Query Allowlisting: Only allow pre-approved queries in production

4. Rate Limiting

Implement rate limiting at multiple levels:

Request rate per IP/user
Query complexity budget per time window
Concurrent connection limits

5. Monitoring & Logging

Log and monitor:

All introspection attempts
Complex queries exceeding thresholds
Failed authorization attempts
Unusual query patterns

Conclusion

GraphQL introspection is a powerful development feature that becomes a critical vulnerability when left enabled in production. Using tools like Burp Suite InQL, attackers can fully enumerate your API surface and discover sensitive endpoints, mutations, and data structures.

Key Takeaways

Always disable introspection in production environments
Implement query complexity limits and depth restrictions
Use field-level authorization for every resolver
Rate limit queries based on complexity, not just count
Regularly audit your GraphQL schema for sensitive fields

Need professional GraphQL API security testing? Red Badger Security offers comprehensive API Security Testing services, including GraphQL-specific assessments.

Secure Your GraphQL APIs

Our certified security experts specialize in API security testing. Get a comprehensive assessment of your GraphQL implementations.

contact_mail Request API Assessment security View Services

arrow_back Back to Blog