🔍 Auto-discover GraphQL endpoints
⚙️ Perform introspection, injection, mutation fuzzing
🛡️ Bypass authentication, test roles, and headers
🧪 Injection payloads: SQLi, XSS, RCE, prototype pollution
- Auto endpoint detection
- JavaScript crawling for hidden endpoints
- Full GraphQL introspection
- Injection engine with customizable payloads
- Mutation engine to break business logic
- Auth bypass and token/header fuzzing
- HTML, JSON, and Markdown reports
git clone https://github.com/nknaman5121a/GQLMap-
cd GQLMap
pip install -r requirements.txt| Flag | Description |
|---|---|
url |
(Required) Target base URL (e.g. https://example.com) |
--endpoint |
Manually specify GraphQL endpoint |
--crawl |
Crawl JS files to find hidden GraphQL endpoints |
--introspect |
Run GraphQL introspection query |
--inject |
Perform injection fuzzing using payloads.json |
--mutate |
Run mutation-based fuzzing engine |
--token <token> |
JWT/Bearer token to use for auth |
--test-roles |
Check for role-based access control flaws |
--header-fuzz |
Fuzz headers to bypass authorization |
--threads <n> |
Run fuzzing using n threads (default: 5) |
--output <format> |
Export report to json, html, or markdown |
--report <file> |
Custom report output path |
--verbose |
Enable verbose logging |
--debug |
Enable debug logs |
--timeout <sec> |
Timeout for each request (default: 10) |
--retries <n> |
Number of retries on failure (default: 2) |
python gqlmap.py https://target.com --crawl --introspectpython gqlmap.py https://target.com --token abc.def.ghi --injectpython gqlmap.py https://target.com --token abc --test-roles --mutatepython gqlmap.py https://target.com --inject --output html --report output/reports/target.htmlpython gqlmap.py https://target.com --token xyz --header-fuzz