InQL is a robust, open-source Burp Suite extension for advanced GraphQL testing, offering intuitive vulnerability detection, customizable scans, and seamless Burp integration.
[ ] open a new Burp session, go to InQL tab and enter address of such GraphQL API that requires auth headers in order to produce introspection results (either detect that query has failed due to missing headers and prompt user to add them or simply display the default headers before sending the introspection query so that user can add whatever they need)
[ ] once the introspection schema has been parsed, all actions on individual queries/mutations (e.g. "Send to Repeater") should generate queries with the same headers that were used to send introspection query. It's ok to provide a way for user to update headers manually, but apart from this corner case it is expected that if InQL was able to generate sample queries, these queries will work as-is (with the same permissions that were used during introspection). The only action that might be reasonable required from the user is to fill in input variables as there is no way for InQL to understand their semantics
[ ] the same expectations apply to GraphiQL, so if auth headers are provided during introspection request - a user should get fully functional GraphiQL after using "Send to GraphiQL" menu option. Meaning GraphiQL should inherit all headers from InQL
It should be possible to do the following: