GraphReconduit

GraphReconduit is an offline-first GraphQL reconnaissance and analysis bridge for authorized security testing. It passively captures GraphQL traffic from Burp Suite (including WebSocket payloads when available), infers schema and enums from responses/errors, supports controlled introspection, surfaces authz drift, and exports deterministic artifacts for human and LLM-assisted analysis.

Key Features

• Passive Burp plugin that captures HTTP and GraphQL WebSocket payloads, records typename hints, enum candidates, resolved variables, and errors.
• CLI pipeline (infer, merge, authz, export, introspect, analyze) that merges passive + introspected schema, scores confidence, tracks roles, and exports operation/intel summaries.
• VSCode extension with Coverage, Schema, Operations, and Intel views plus commands to auto-run analyze and drive introspection/enumeration.

Components

• Burp Suite extension (Python/Jython) for passive capture and normalization
• CLI analysis pipeline for inference, schema fusion, authz drift detection, and exports

Installation

python -m venv .venv
. .venv/bin/activate
pip install -e .

Burp Suite Extension

1. Open Burp Suite -> Extender -> Extensions -> Add
2. Extension type: Python
3. File: burp/GraphReconduit.py
4. Configure output directory in the GraphReconduit tab (default: ~/graphreconduit)

Burp uses Jython (Python 2.7). The extension avoids external dependencies and runs offline. You can also set GRAPHRECONDUIT_DIR to override the default output path.

The extension is passive-only and never modifies traffic.

Optional environment flag:

• GRAPHRECONDUIT_CAPTURE_ENUMS=1: capture enum-like response values for schema inference (off by default).
• WebSocket GraphQL messages are captured when Burp exposes WebSocket listener hooks (GraphQL WS protocols with payload.query and payload.data).

CLI Usage

# Initialize the output layout
graphreconduit init --base ~/graphreconduit

# Infer schema from captured operations
graphreconduit infer --base ~/graphreconduit

# Merge inferred and introspected schema
graphreconduit merge --base ~/graphreconduit

# AuthZ drift analysis
graphreconduit authz --base ~/graphreconduit

# Generate exports for human/LLM review
graphreconduit export --base ~/graphreconduit

# Run the full pipeline
graphreconduit analyze --base ~/graphreconduit

Captured operations include typename hints, enum candidates, resolved variables (with default literals), and error strings so inference/introspection stays evidence-driven. Opt into graphreconduit introspect (passive/opportunistic/active) when permitted; active runs support depth/rate-limit flags and are recorded in schema/introspection.log.

VSCode Extension

Dev install

1. Open vscode-extension/ in a terminal.
2. Install dependencies and build:

npm install
npm run compile

3. Launch the extension in VSCode (Run and Debug -> "Run Extension").

VSIX install

cd vscode-extension
npm install -g @vscode/vsce
npm run compile
vsce package
code --install-extension graphreconduit-0.1.0.vsix

Configure graphreconduit.baseDir to match the Burp output directory. The extension provides Coverage, Schema, Operations, and Intel views:

• Coverage: tracks merged-schema fields that have been observed, highlighting missing areas for follow-up.
• Schema: shows merged fields with types, confidence, roles, enums, and sources, letting you drill down into metadata.
• Operations: groups captured queries by type and opens the raw JSON for manual review.
• Intel: surfaces endpoints, roles, variables, errors, and enum candidates for quick reconnaissance insight. It auto-runs graphreconduit analyze if the base dir changes or required outputs are missing; use graphreconduit.pythonPath if you need a non-default interpreter.

Introspection Modes

Passive introspection only uses responses already captured.

# Passive (default)
graphreconduit introspect --base ~/graphreconduit

# Opportunistic replay of observed introspection queries
graphreconduit introspect --mode opportunistic --endpoint https://target/graphql \
  --header "Authorization: Bearer TOKEN"

# Active (explicit opt-in)
graphreconduit introspect --mode active --active --endpoint https://target/graphql \
  --header "Authorization: Bearer TOKEN" --depth 4 --rate-limit 0.5

Use `--method POST|GET` when replaying or driving introspection if you need to adjust how the target responds (the CLI and VSCode enum command now support this flag).

VSCode command palette:

• GraphReconduit: Analyze BaseDir (re-runs the full pipeline/output generation; helpful after new captures).
• GraphReconduit: Enumerate Schema (prompts for mode, endpoint, and headers; active requires explicit confirmation and rate-limiting).
• GraphReconduit: Open Operation (opens the raw JSON for a captured operation from the Operations view).

Storage Layout

graphreconduit/
├─ traffic/
│  ├─ requests/
│  └─ responses/
├─ operations/
├─ schema/
│  ├─ inferred.graphql
│  ├─ introspected.graphql
│  ├─ merged.graphql
│  └─ confidence.json
├─ relationships/
├─ authz/
├─ exports/
│  ├─ llm_context.md
│  ├─ abuse_paths.md
│  ├─ schema_summary.json
│  └─ operations_summary.json
└─ index.json

Safety Notes

• Passive-first by default
• Introspection is explicitly opt-in
• No fuzzing, exploitation, or brute force
• Evidence-driven inference only

Example Dataset

See examples/sample_dataset/graphreconduit for a minimal capture + analysis output.