v5.0.2

A minor release to fix two bugs:

• InQL duplicating headers in an unrelated traffic
• Burp's internal headers added during 'Generate queries with InQL Scanner' menu action (only from GraphQL editor tab)

Refer to v.5.0.0 release notes for the list of major changes since v4.

v5.0.1

A minor fix to support Burp versions consisting of two parts (e.g. Early Adopter release 2023.6 as opposed to 2023.5.4).

Refer to v.5.0.0 release notes for the list of major changes since v4.

v5.0.0

We are thrilled to announce the major release of InQL v5.0! This version marks a substantial leap in the evolution of our GraphQL testing tool, as we've largely rewritten InQL from scratch. We're moving away from Jython, and while most of the code is still using it, we are planning to transition to Kotlin soon.

While we've bid farewell to the standalone mode and CLI versions in this release, we've also introduced some new features and improvements that we're confident will enhance your testing experience.

What's New?

• GQLSpection Integration: InQL now leverages GQLSpection for GraphQL parsing and formatting. This ensures compatibility with all GraphQL spec versions.
• Enhanced Introspection: InQL now sends up to three introspection queries to accurately determine the GraphQL version supported by the server.
• Improved Query and Mutation Generations: The auto-generated queries and mutations now include inline comments, providing insights from the 'description' fields and some type annotations.
• User-Friendly Settings Window: We've revamped the Settings window to make it more intuitive and user-friendly.
• "Points of Interest" Scanner: The new scanner highlights areas of potential interest, aiding pentesters and bug hunters in their quest for vulnerabilities.

For the complete list of changes, please see the Full Changelog.

Looking Ahead

Although v5.0 marks a significant milestone, we're already looking ahead. GraphiQL and cycle detection, which have been removed in this release, will be reintroduced in a new form in the future. We're also planning to rewrite most of the code in Kotlin to optimize performance and maintainability.

We understand that this major release may impact your established workflows due to the deprecation of certain features. Please rest assured that our commitment to refining and enhancing InQL's core functionality remains steadfast.

Thank you for your continued support and happy testing with InQL v5.0!

407: Proxy Authentication Required

This is the last release of InQL in the v4.x branch. It will not be pushed to the BApp Store because the v5.0 is about to be released, but we're still open to pull requests to fix breaking bugs and annoyances.

What's Changed

• fix: small error by @0xflotus in #81
• Fixed bug that will have disabled HTTP/2 on burp editon before August by @matteoldani in #85
• Fix setuptools error due to non-compliant version number by @mathdeziel in #88

New Contributors

• @0xflotus made their first contribution in #81
• @mathdeziel made their first contribution in #88

Full Changelog: v4.0.6...v4.0.7

406: not acceptable

v4.0.6

Fixes:

• Try to avoid crashes if schema (slightly) invalid
• Fix FS corruption preventing InQL from loading
• Fix CORS issue preventing GraphiQL from loading
• Update GraphiQL to the latest release
• Try to use static port for GraphiQL, if available
• (Burp scanner) Don't report GraphQL API matches on redirects
• Normalize query names received from server
• Fix sorting by timestamp

New Features:

• InQL Attacker: tool for running GraphQL batch attacks

v4.0.5

Fixes:

• Burp: enable HTTP/2 for Burp >= 2020.8

v4.0.4

Fixes:

• Burp: remove Content-Type from GET requests
• Jython: fix the Windows file opener

v4.0.3

Fixes:

• Burp: print HTTP/2 error eagerly

v4.0.2

Fixes:

• Burp: unloads the GraphIQL server on exit.

v4.0.1

Fixes:

• Burp: catch error on missing HTTP/2 options

v4.0.0

Fixes:

• Disable HTTP/2 in Burp due to Jython incompatibilities
• Various Fixes

New Features:

• Generate SQLMap aware templates
• Include a newly CSRF tester

405: method not allowed

v4.0.5

Fixes:

• Burp: enable HTTP/2 for Burp >= 2020.8

v4.0.4

Fixes:

• Burp: remove Content-Type from GET requests
• Jython: fix the Windows file opener

v4.0.3

Fixes:

• Burp: print HTTP/2 error eagerly

v4.0.2

Fixes:

• Burp: unloads the GraphIQL server on exit.

v4.0.1

Fixes:

• Burp: catch error on missing HTTP/2 options

v4.0.0

Fixes:

• Disable HTTP/2 in Burp due to Jython incompatibilities
• Various Fixes

New Features:

• Generate SQLMap aware templates
• Include a newly CSRF tester

404: bug not found

v4.0.4

Fixes:

• Burp: remove Content-Type from GET requests
• Jython: fix the Windows file opener

v4.0.3

Fixes:

• Burp: print HTTP/2 error eagerly

v4.0.2

Fixes:

• Burp: unloads the GraphIQL server on exit.

v4.0.1

Fixes:

• Burp: catch error on missing HTTP/2 options

v4.0.0

Fixes:

• Disable HTTP/2 in Burp due to Jython incompatibilities
• Various Fixes

New Features:

• Generate SQLMap aware templates
• Include a newly CSRF tester

forwardintime: burp fixes

v4.0.3

Fixes:

• Burp: print HTTP/2 error eagerly

v4.0.2

Fixes:

• Burp: unloads the GraphIQL server on exit.

v4.0.1

Fixes:

• Burp: catch error on missing HTTP/2 options

v4.0.0

Fixes:

• Disable HTTP/2 in Burp due to Jython incompatibilities
• Various Fixes

New Features:

• Generate SQLMap aware templates
• Include a newly CSRF tester

backintime: bug fixes

v4.0.2

Fixes:

• Burp: unloads the GraphIQL server on exit.

v4.0.1

Fixes:

• Burp: catch error on missing HTTP/2 options

v4.0.0

Fixes:

• Disable HTTP/2 in Burp due to Jython incompatibilities
• Various Fixes

New Features:

• Generate SQLMap aware templates
• Include a newly CSRF tester

chronon: CSRF tester, SQLMap templates, recent Burp bugfixes and code improvements

v4.0.1

Fixes:

• Burp: catch error on missing HTTP/2 options

v4.0.0

Fixes:

• Disable HTTP/2 in Burp due to Jython incompatibilities
• Various Fixes

New Features:

• Generate SQLMap aware templates
• Include a newly CSRF tester