Download
GraphQLmap is a Python-based scripting engine designed to interact with GraphQL endpoints for penetration testing purposes. It can connect to a target GraphQL endpoint, dump the schema (if introspection is enabled), query it interactively, and fuzz fields for NoSQL/SQL injection vectors, thereby revealing hidden attack surfaces. GraphQL endpoints represent a relatively newer attack vector compared to REST, and GraphQLmap helps bridge this gap by providing tooling tailored to the GraphQL paradigm. Because many modern applications adopt GraphQL for flexibility, this tool is useful when scanning and attacking API back ends where typical REST-based tools fall short. For a pentester, GraphQLmap speeds up discovery and exploitation workflows: you don’t just test known endpoints—you enumerate schema, fuzz fields, and chain queries. It offers a CLI, supports various HTTP methods, custom headers, proxies, and is designed to work with real-world GraphQL deployments.
Features
- Schema dumping via introspection of GraphQL endpoints
- Interactive CLI to craft and execute GraphQL queries
- Field fuzzing for injection (NoSQL, SQL) within GraphQL fields
- Support for custom HTTP headers, different methods (GET/POST), and proxying
- Auto-completion and discovery features based on dumped schema
- Python script installable and runnable in command-line pentest workflows
Project Samples
