GraphQL Raider is a Burp Suite Extension for testing endpoints implementing GraphQL.
The gql query and variables are extracted from the unreadable json body and displayed in separate tabs.
While intercepting or resending you can manipulate the gql query and variables inside the gql tab and the message will be correctly send.
Not only the variables are extracted as insertion point for the scanner. Furthermore the values inside the query are also extracted as insertion point for the scanner.
The detected insertion points are displayed for information and better transparency inside the qgl tab of a message
Insertion points are used by active scanner to insert the payloads for detecting vulnerabilities. The custom gql insertion points helps the active scanner to position the payloads at the correct place inside of a gql query.
GraphQL is a query language for APIs and a runtime for fulfilling those queries with your existing data
https://graphql.org/learn/serving-over-http/
GraphQL query should be specified in the "query" query string.
http://myapi/graphql?query={me{name}}
JSON-encoded body
{
"query": "...",
"operationName": "...",
"variables": { "myVariable": "someValue", ... }
}
A GitHub Release is triggered by AzureDevOps if commits are added to the branch master