Back to Projects

Context and Motivation

Although Caido has recently gone viral as a solid and modern alternative to BurpSuite Community (featuring an incredible interface and open source nature), it still has areas to mature.

Two key points where I found gaps were:

  • 1.WebSockets Support: Still a bit "green", missing tools like a repeater or message injection capabilities.
  • 2.Plugin Ecosystem: Compared to the maturity of Burp Pro extensions.

    • GqlOnaut was born to fill one of those gaps: GraphQL API auditing. Inspired by the famous Burp extension InQL, this plugin brings direct introspection capabilities to your Caido workflow.

    What is Introspection?

    Introspection is a native GraphQL feature that allows you to query the server about its own schema. It's like asking a database to draw its E-R diagram for you.

    If a server has introspection enabled, you can ask it to reveal:

  • Types: Which objects exist (e.g., User, Product).
  • Fields: What data each object holds.
  • Queries: What you can read.
  • Mutations: What you can change.

    • Typical Queries

    The plugin automates this, but under the hood, standard GraphQL system queries like these are happening:

    1. List all Types

    Retrieves all objects defined in the schema.

    graphql
    Cargando sintaxis...
    🔒 BitSentry_Terminal
    Ln 9, Col 1UTF-8
    2. Investigate a Specific Type

    Once you know a User type exists, you can ask what fields it has.

    graphql
    Cargando sintaxis...
    🔒 BitSentry_Terminal
    Ln 12, Col 1UTF-8
    Note

    GqlOnaut executes these complex queries for you, building a visual representation of the schema so you don't have to write system queries manually.

    Current Capabilities

  • HTTP Support: Full introspection over standard HTTP/HTTPS endpoints.
  • Schema Viewer: Tree-like navigation of queries and mutations.
  • Native Integration: Runs directly within the Caido interface.
    • Important

    Currently, support is limited to HTTP. We are actively working to bring WebSocket support in future versions, enabling real-time subscription auditing.

    Test Endpoint

    To see the plugin in action, use the public countries API:

  • URL: https://countries.trevorblades.com/

    • Try fetching the list of continents and their countries:

    graphql
    Cargando sintaxis...
    🔒 BitSentry_Terminal
    Ln 9, Col 1UTF-8

    🛠️ Development & Installation

    This plugin requires the Caido environment to run.

    Prerequisites

  • 1.Caido Installed: Version v0.15 or higher recommended.
  • 2.Plugin Environment: Must have initialized the project with pnpm create @caido-community/plugin.

    • Getting Started

    Clone the project and install dependencies:

    bash
    Cargando sintaxis...
    🔒 BitSentry_Terminal
    Ln 1, Col 1UTF-8

    To start the development server in "watch" mode:

    bash
    Cargando sintaxis...
    🔒 BitSentry_Terminal
    Ln 1, Col 1UTF-8
    Important

    The watch mode will automatically reload the plugin in your Caido instance whenever you save changes to the source code, speeding up rapid iterations.

    🔮 Roadmap

    This project is constantly evolving. The next major feature leverages new platform capabilities:

  • [ ] Webhook Support: Taking advantage of Caido's recent webhook activation, we will enable automatic notifications and external triggers based on introspection findings.

    • 📚 Additional Resources

    To dive deeper into developing extensions for this auditing platform:

  • Caido Developer Documentation
    • _This plugin was developed as an initiative to improve security analysis and auditing tools in GraphQL ecosystems._