GraphQL Grip

[thecybersandeep]

Extension URL

https://github.com/thecybersandeep/graphql-grip

Version number

1.0.1

Select additional compatible products and features

• Community
• DAST
• Burp AI

Author display name

Sandeep Wawdane

Contact details (optional)

cybersecsandeep@gmail.com

Discord username (optional)

thecybersandeep

I confirm that the following is true:

• I have permission from all relevant persons to submit this extension to the BApp Store for public use, under the terms and conditions of the EULA.
• I have read and understood the submission requirements for the BApp Store.

Extension overview

GraphQL Grip adds a GraphQL attack workbench directly into Repeater. Send a GraphQL request to Repeater, switch to the Grip tab, pick an attack type, and fire it without touching another tool. Attack categories cover DoS patterns (alias overloading, field duplication, circular queries, fragment bombs, array batching), mutation abuse, directive probing, introspection bypasses, CSRF format switching, and limits probing. Over 40 payloads total.

Schema work is handled in the main tab. It runs full introspection first, then minimal introspection as a fallback. If the endpoint blocks introspection entirely, Grip switches to blind reconstruction bucketed field probing (64 fields per request, 8 concurrent threads) against a 300-word GraphQL-specific wordlist, with error message parsing to pull field names and type hints from whatever the server leaks. Works across Apollo, Hasura, Hot Chocolate, Sangria, Graphene, Juniper, and several others.

On top of that: engine fingerprinting for 15+ backends, a visual schema type graph, endpoint discovery, and context menu integration across all Burp tools.

Key features

1. Repeater-native attack tab with 40+ payloads across DoS, Mutations, Directives, Info Disclosure, and Limits Probing categories

2. Blind schema reconstruction using bucketed alias probing and multi-engine error message parsing when introspection is blocked

3. 12 introspection bypass methods: newline injection, tab injection, CRLF, fragment bypass, inline fragment, aliased __schema, batched bypass, include/skip conditionals, long operation name, GET method, __type(name:) query, and APQ

4. CSRF format switching converts any request to GET query param, URL-encoded POST, multipart/form-data, or APQ with real SHA256 hash in one click

5. Limits probing tab with preset depth, width, and batch size probes to map where the server starts rejecting queries

6. Visual schema graph with drag, zoom, type-colored nodes, and edge highlighting

7. Engine fingerprinting for Apollo Server, Hasura, GraphQL Yoga, Graphene, graphql-java, Juniper, Sangria, Hot Chocolate, GraphQL PHP, WPGraphQL, AWS AppSync, Ariadne, Strawberry, gqlgen, and Dgraph

8. Context menu integration across Proxy, Repeater, Scanner, Intruder, Target, and Logger

9. Auth header inheritance from observed traffic (Authorization, Cookie, X-API-Key, X-CSRF-Token) with built-in rate limiter

10. All attack parameters (alias count, batch size, field count, depth, etc.) adjustable and persisted via Burp preferences

Usage instructions

Download graphql-grip-1.0.1.jar from the GitHub releases page or build with ./gradlew jar. In Burp Suite go to Extensions > Add and select the JAR. The GraphQL Grip tab appears in the main toolbar. Requires Java 17+ and Burp Suite 2023.12+.

Main tab: Enter the target URL and click Scan & Introspect. Grip fetches the schema via introspection. If that fails it falls back to blind reconstruction automatically. Browse the schema tree, view type relationships in the graph panel, and use Fingerprint Engine to identify the backend.

Repeater tab: Send any GraphQL request to Repeater from Proxy, Target, or anywhere else. Switch to the GraphQL Grip editor tab on the request side. Pick an attack category (DoS, Mutations, Directives, Info Disclosure, Limits Probing), click an attack button to generate the payload, adjust parameters with the spinners, then hit Send. The modified request fires directly.

Context menu: Right-click any request in any Burp tool and choose Send to GraphQL Grip. The endpoint loads into the main tab and scanning starts.

CSRF testing: Open the Directives tab in the Repeater workbench. Use the Request Format section to convert the request to GET, URL-encoded POST, multipart/form-data, or APQ format. Method and Content-Type update when you hit Send.

Template identifier (Internal use only - please ignore)

• template:01-submit-extension

[github-actions]

Thank you for your BApp Store extension submission!

Your submission has been added to our review queue.

We will review your extension as soon as possible. You can track the progress of your submission in our Extension submissions project.

If you have any questions, please comment on this issue. For urgent matters, contact bapps@portswigger.net. We do not respond to status update requests via email.

[alex-pezarro-portswigger]

Heya @thecybersandeep

Thank you for your patience.

I'm pleased to inform you that we're progressing your extension through to our "Code review" stage. This is where we take a look at the code for your extension and make sure that it meets our guidelines.

If there's anything else we can help with in the meantime, please let us know.

[thecybersandeep]

Hi @alex-pezarro-portswigger, just a heads up the repo has been updated to v1.0.1 since the original submission. The code has been cleaned up quite a bit: large schema handling, auth header inheritance, query generation fixes. The latest is on the main branch. Happy to answer any questions during the review.