Merge pull request #1630 from HackTricks-wiki/update_InQL_v6_1_0_Just_Landed_with_New_Features_and_Cont_20251203_183031

InQL v6.1.0 Just Landed with New Features and Contribution S...

Author: carlospolop

src/network-services-pentesting/pentesting-web/graphql.md

@@ -437,6 +437,43 @@ file:* mutation
 file:* query
 ```
 
+### Error-based schema reconstruction & engine fingerprinting (InQL v6.1+)
+
+When introspection is blocked, **InQL v6.1+** can now reconstruct the reachable schema purely from error feedback. The new *schema bruteforcer* batches candidate field/argument names from a configurable wordlist and sends them in multi-field operations to reduce HTTP chatter. Useful error patterns are then harvested automatically:
+
+- `Field 'bugs' not found on type 'inql'` confirms the existence of the parent type while discarding invalid field names.
+- `Argument 'contribution' is required` shows that an argument is mandatory and exposes its spelling.
+- Suggestion hints such as `Did you mean 'openPR'?` are fed back into the queue as validated candidates.
+- By intentionally sending values with the wrong primitive (e.g., integers for strings) the bruteforcer provokes type mismatch errors that leak the real type signature, including list/object wrappers like `[Episode!]`.
+
+The bruteforcer keeps recursing over any type that yields new fields, so a wordlist that mixes generic GraphQL names with app-specific guesses will eventually map large chunks of the schema without introspection. Runtime is limited mostly by rate limiting and candidate volume, so fine-tuning the InQL settings (wordlist, batch size, throttling, retries) is critical for stealthier engagements.
+
+In the same release, InQL ships a **GraphQL engine fingerprinter** (borrowing signatures from tools like `graphw00f`). The module dispatches deliberately invalid directives/queries and classifies the backend by matching the exact error text. For example:
+
+```graphql
+query @deprecated {
+    __typename
+}
+```
+
+- Apollo replies with `Directive "@deprecated" may not be used on QUERY.`
+- GraphQL Ruby answers `'@deprecated' can't be applied to queries`.
+
+Once an engine is recognized, InQL surfaces the corresponding entry from the [GraphQL Threat Matrix](https://github.com/nicholasaleks/graphql-threat-matrix), helping testers prioritize weaknesses that ship with that server family (default introspection behavior, depth limits, CSRF gaps, file uploads, etc.).
+
+Finally, **automatic variable generation** removes a classic blocker when pivoting into Burp Repeater/Intruder. Whenever an operation requires a variables JSON, InQL now injects sane defaults so the request passes schema validation on the first send:
+
+```text
+"String"  -> "exampleString"
+"Int"     -> 42
+"Float"   -> 3.14
+"Boolean" -> true
+"ID"      -> "123"
+ENUM      -> first declared value
+```
+
+Nested input objects inherit the same mapping, so you immediately get a syntactically and semantically valid payload that can be fuzzed for SQLi/NoSQLi/SSRF/logic bypasses without manually reverse-engineering every argument.
+
 ## CSRF in GraphQL
 
 If you don't know what CSRF is read the following page:
@@ -718,5 +755,7 @@ https://graphql-dashboard.herokuapp.com/
 - [**https://portswigger.net/web-security/graphql**](https://portswigger.net/web-security/graphql)
 - [**https://github.com/advisories/GHSA-5gc2-7c65-8fq8**](https://github.com/advisories/GHSA-5gc2-7c65-8fq8)
 - [**https://github.com/escape-tech/graphql-armor**](https://github.com/escape-tech/graphql-armor)
+- [**https://blog.doyensec.com/2025/12/02/inql-v610.html**](https://blog.doyensec.com/2025/12/02/inql-v610.html)
+- [**https://github.com/nicholasaleks/graphql-threat-matrix**](https://github.com/nicholasaleks/graphql-threat-matrix)
 
 {{#include ../../banners/hacktricks-training.md}}