// the find
swisskyrepo/GraphQLmap
GraphQLmap is a scripting engine to interact with a graphql endpoint for pentesting purposes. - Do not use for illegal testing ;)
GraphQLmap is a CLI pentesting tool for GraphQL endpoints — schema dumping, query fuzzing, and blind injection (NoSQL, SQL) against a target. It's aimed at CTF players and pentesters who need a quick interactive shell against a GraphQL API rather than a full Burp Suite workflow.
Schema introspection with autocomplete population is genuinely useful and saves manual query construction. The BLIND_PLACEHOLDER approach for blind NoSQL injection is clean and practical for CTFs. Fuzzing with GRAPHQL_INCREMENT and GRAPHQL_CHARSET covers the most common enumeration patterns without needing a separate tool. Proxy support means you can pipe everything through Burp without any friction.
The codebase is essentially a single-author script that hasn't been touched since March 2024 and the TODO list (field suggestions, mutation generation, unit tests) has been sitting open since version 1.0. The fuzzing output shows raw response sizes with no smarter differential analysis — you're eyeballing the numbers yourself. No authentication refresh or session handling, so anything behind a short-lived JWT will break mid-session. The batching feature is bolted on with a prefix syntax that feels like an afterthought rather than a first-class mode.