Releases: doyensec/inql
v6.1.2
v6.1.1
This new release brings new exciting features:
- The GraphQL Schema Brute-Forcer
- The GraphQL Server Engine Fingerprinter
- Automatic Variable Generation (Default Values)
- Usability and Performance Improvements
- Search inside the InQL Scanner tab, and in the Repeater/Intruder
- Improved POI Regex matching
- Improved caching for better performance
- Added a delayed POI and Cycle detection to improve the schema parsing speed
- Various bugs and UI fixes
v6.0.0
InQL v6.0 release is focused on improving performance and overall responsiveness of the tool. The whole project has been rewritten into the Kotlin programming language, resulting in a significant speed increase when parsing large GraphQL schemas.
The version v6.0 also moves away from the soon-to-be-deprecated GQLSpection library. Instead, the tool now uses graphql-java. This shift allows us to concentrate on implementing new security-related features without the added complexity of maintaining the GraphQL parsing library. Additionally, the Java library is faster and more compatible with our Kotlin rewrite.
The new release also brings new important features such as:
- A built-in GraphiQL and GraphQL Voyager servers, enabling schema visualization even when the target system doesn’t expose such interfaces
- A circular references detector to identify potentially vulnerable fields
- An improved batch queries screen
- Speeeeeed! 🚀
v5.0.2
v5.0.1
v5.0.0
We are thrilled to announce the major release of InQL v5.0! This version marks a substantial leap in the evolution of our GraphQL testing tool, as we've largely rewritten InQL from scratch. We're moving away from Jython, and while most of the code is still using it, we are planning to transition to Kotlin soon.
While we've bid farewell to the standalone mode and CLI versions in this release, we've also introduced some new features and improvements that we're confident will enhance your testing experience.
What's New?
- GQLSpection Integration: InQL now leverages GQLSpection for GraphQL parsing and formatting. This ensures compatibility with all GraphQL spec versions.
- Enhanced Introspection: InQL now sends up to three introspection queries to accurately determine the GraphQL version supported by the server.
- Improved Query and Mutation Generations: The auto-generated queries and mutations now include inline comments, providing insights from the 'description' fields and some type annotations.
- User-Friendly Settings Window: We've revamped the Settings window to make it more intuitive and user-friendly.
- "Points of Interest" Scanner: The new scanner highlights areas of potential interest, aiding pentesters and bug hunters in their quest for vulnerabilities.
For the complete list of changes, please see the Full Changelog.
Looking Ahead
Although v5.0 marks a significant milestone, we're already looking ahead. GraphiQL and cycle detection, which have been removed in this release, will be reintroduced in a new form in the future. We're also planning to rewrite most of the code in Kotlin to optimize performance and maintainability.
We understand that this major release may impact your established workflows due to the deprecation of certain features. Please rest assured that our commitment to refining and enhancing InQL's core functionality remains steadfast.
Thank you for your continued support and happy testing with InQL v5.0!
407: Proxy Authentication Required
This is the last release of InQL in the v4.x branch. It will not be pushed to the BApp Store because the v5.0 is about to be released, but we're still open to pull requests to fix breaking bugs and annoyances.
What's Changed
- fix: small error by @0xflotus in #81
- Fixed bug that will have disabled HTTP/2 on burp editon before August by @matteoldani in #85
- Fix setuptools error due to non-compliant version number by @mathdeziel in #88
New Contributors
- @0xflotus made their first contribution in #81
- @mathdeziel made their first contribution in #88
Full Changelog: v4.0.6...v4.0.7
Contributors
Assets 3
406: not acceptable
v4.0.6
Fixes:
- Try to avoid crashes if schema (slightly) invalid
- Fix FS corruption preventing InQL from loading
- Fix CORS issue preventing GraphiQL from loading
- Update GraphiQL to the latest release
- Try to use static port for GraphiQL, if available
- (Burp scanner) Don't report GraphQL API matches on redirects
- Normalize query names received from server
- Fix sorting by timestamp
New Features:
- InQL Attacker: tool for running GraphQL batch attacks
v4.0.5
Fixes:
- Burp: enable HTTP/2 for Burp >= 2020.8
v4.0.4
Fixes:
- Burp: remove Content-Type from GET requests
- Jython: fix the Windows file opener
v4.0.3
Fixes:
- Burp: print HTTP/2 error eagerly
v4.0.2
Fixes:
- Burp: unloads the GraphIQL server on exit.
v4.0.1
Fixes:
- Burp: catch error on missing HTTP/2 options
v4.0.0
Fixes:
- Disable HTTP/2 in Burp due to Jython incompatibilities
- Various Fixes
New Features:
- Generate SQLMap aware templates
- Include a newly CSRF tester
405: method not allowed
v4.0.5
Fixes:
- Burp: enable HTTP/2 for Burp >= 2020.8
v4.0.4
Fixes:
- Burp: remove Content-Type from GET requests
- Jython: fix the Windows file opener
v4.0.3
Fixes:
- Burp: print HTTP/2 error eagerly
v4.0.2
Fixes:
- Burp: unloads the GraphIQL server on exit.
v4.0.1
Fixes:
- Burp: catch error on missing HTTP/2 options
v4.0.0
Fixes:
- Disable HTTP/2 in Burp due to Jython incompatibilities
- Various Fixes
New Features:
- Generate SQLMap aware templates
- Include a newly CSRF tester
404: bug not found
v4.0.4
Fixes:
- Burp: remove Content-Type from GET requests
- Jython: fix the Windows file opener
v4.0.3
Fixes:
- Burp: print HTTP/2 error eagerly
v4.0.2
Fixes:
- Burp: unloads the GraphIQL server on exit.
v4.0.1
Fixes:
- Burp: catch error on missing HTTP/2 options
v4.0.0
Fixes:
- Disable HTTP/2 in Burp due to Jython incompatibilities
- Various Fixes
New Features:
- Generate SQLMap aware templates
- Include a newly CSRF tester