Move "Setup Load Headers" Setting in General Configuration

doyensec / inql

InQL is a robust, open-source Burp Suite extension for advanced GraphQL testing, offering intuitive vulnerability detection, customizable scans, and seamless Burp integration.

https://doyensec.com/

Apache License 2.0

1.52k stars 156 forks source link

Move "Setup Load Headers" Setting in General Configuration #44

Closed ikkisoft closed 2 years ago

ikkisoft commented 2 years ago

At the moment, it is possible to set an "Authorization Key" that allows setting a standard HTTP Authorization header (Basic, Bearer)

Screen Shot 2021-10-07 at 10 19 21

Many GraphQL services use cookies or customer headers for authentication. This is not currently supported by InQL. It would be great to extend the configuration and allow settings arbitrary headers. For instance, we can allow users to set arbitrary headers:values that will be appended to all requests.

thypon commented 2 years ago

The feature should already be there as a sub-menu of the main configuration menu under "Setup Load Headers".

https://github.com/doyensec/inql/issues/20#issuecomment-639434159 here a gif exemplifying the feature.

ikkisoft commented 2 years ago

OK, didn't even know! I will update the readme.

ikkisoft commented 2 years ago

Oh, wait...that doesn't work since we need to surface this feature pre introspection. There're services that have introspection enabled for authenticated users only, hence you won't be able to use the "Setup Load Headers".

Reopening but reducing severity since the current implementation might work in some cases.

ikkisoft commented 2 years ago

Take 3! It's possible but super convoluted:

1) Open InQL 2) Go to the InQL Tab --> Right Click --> Configure 3) Inside the Configure window --> Right Click --> Setup Load Headers

Screen Shot 2021-10-08 at 09 58 45