InQL v6.1.0 Just Landed with New Features and Contribution S...

[carlospolop]

🤖 Automated Content Update

This PR was automatically generated by the HackTricks News Bot based on a technical blog post.

📝 Source Information

• Blog URL: https://blog.doyensec.com/2025/12/02/inql-v610.html
• Blog Title: InQL v6.1.0 Just Landed with New Features and Contribution Swag!
• Suggested Section: network-services-pentesting/pentesting-web/web-api-pentesting.md (add a dedicated subsection such as "GraphQL Error-Based Schema Reconstruction & Engine Fingerprinting" or a new "GraphQL Pentesting" page referenced from Web API Pentesting)

🎯 Content Summary

This post announces InQL v6.1.0, a Burp Suite extension focused on offensive GraphQL security testing. The extension was fully rewritten from Jython to Kotlin in v6.0.0 and v6.1.0 adds several key features that help discover and exploit attack surface on GraphQL APIs even when introspection is disabled.

GraphQL schema brute-forcer (active schema reconstruction).
Earlier versions of InQL relied on GraphQL introspection or a local schema file. v6.1.0 intro...

🔧 Technical Details

GraphQL schema reconstruction via error-based brute forcing.
The post details a technique to reconstruct GraphQL schemas when introspection is disabled by sending batched queries with guessed field/argument names and parsing validation errors. By iterating over a wordlist, the attacker observes responses like Field 'X' not found on type 'Y', Argument 'Z' is required, or suggestion hints such as Did you mean 'openPR'?. These messages reveal valid types, fields, required arguments, and even type names. Additional requests with deliberately incorrect value types provoke type mismatch errors that expose whether an argument expects String, a custom object, or a list type (e.g., [Episode!]). Repeating this process allows an attacker to reconstruct much of the schema purely from server feedback, enabling targeted abuse of sensitive queries and mutations.

GraphQL engine fingerprinting from er...

🤖 Agent Actions

Summary:

• Added a new “Error-based schema reconstruction & engine fingerprinting (InQL v6.1+)” section to the GraphQL methodology page explaining how the latest InQL release brute-forces schemas without introspection, fingerprints engines via crafted error signatures, and auto-populates variable payloads for Burp workflows.
• Highlighted practical usage notes (wordlist tuning, batching, type probing, leveraging GraphQL Threat Matrix lookups, and default variable mappings) to help testers apply the new capabilities during recon and exploitation.
• Updated the references section with the InQL v6.1.0 release blog and the GraphQL Threat Matrix resource used in the new guidance.

Tests: Not run (not requested).

---

This PR was automatically created by the HackTricks Feed Bot. Please review the changes carefully before merging.

[carlospolop]

🔗 Additional Context

Original Blog Post: https://blog.doyensec.com/2025/12/02/inql-v610.html

Content Categories: Based on the analysis, this content was categorized under "network-services-pentesting/pentesting-web/web-api-pentesting.md (add a dedicated subsection such as "GraphQL Error-Based Schema Reconstruction & Engine Fingerprinting" or a new "GraphQL Pentesting" page referenced from Web API Pentesting)".

Repository Maintenance:

• MD Files Formatting: 914 files processed

Review Notes:

• This content was automatically processed and may require human review for accuracy
• Check that the placement within the repository structure is appropriate
• Verify that all technical details are correct and up-to-date
• All .md files have been checked for proper formatting (headers, includes, etc.)

Bot Version: HackTricks News Bot v1.0