BeEzz_QL 🐝

Fuzz Fast, Win Big!

BeEzz_QL is a powerful and intuitive GraphQL Fuzzing tool designed for security researchers, penetration testers, and bug bounty hunters. It helps discover exposed or hidden fields and potential vulnerabilities in GraphQL endpoints by automating the fuzzing process.

Key Features

• 🧠 Smart Suggestion Engine: Automatically extracts potential field names from GraphQL error messages to find new targets.
• 🔄 Session Resume: Never lose your work. The tool saves progress and can resume an unfinished fuzzing session.
• ⏯️ Interactive Control: Pause the fuzzer at any time by pressing Enter, and press it again to resume.
• 🛡️ Safe Mode: Includes a safety check to skip potentially destructive GraphQL mutations (like "delete" or "remove").
• ⚙️ External Configuration: Easily tune delay, retries, and other settings via settings.json without modifying the code.
• 💪 Resilient Fuzzing: Built-in logic to handle network errors and rate limits with configurable retries.
• 📂 Organized Results: All findings (valid fields, suggestions, errors) are neatly saved in a timestamped results directory.

Installation

1. Clone the repository:

   git clone [https://github.com/ks7-karem/BeEzz_QL.git](https://github.com/ks7-karem/BeEzz_QL.git)
   cd BeEzz_QL

2. Install the required dependencies:

   pip install -r requirements.txt

How to Use

1. Add Wordlists: Place your .txt wordlist files inside the /wordlists directory.

2. Configure Request: Open request.txt and paste your target's raw HTTP request. Make sure to replace the keyword you want to fuzz with the FUZZ placeholder.

3. Adjust Settings (Optional): Modify settings.json to change the delay between requests, set retry logic, or enable safe mode.

4. Run the Fuzzer:

   python BeeZz_QL.py

   The tool will prompt you to select a wordlist and will then start the fuzzing process.

Configuration (settings.json)

You can customize the fuzzer's behavior by editing the settings.json file:

• DELAY: Time in seconds to wait between requests.
• RETRY_CODES: A list of HTTP status codes that will trigger a retry.
• MAX_RETRIES: The maximum number of times to retry a request.
• RETRY_DELAY: Time in seconds to wait before a retry.
• SAFE_MODE: If true, the fuzzer will skip mutations containing dangerous keywords.
• PERSISTENT_MODE: If true, uses persisted queries to potentially bypass security controls.
• AUTH_TOKEN: Add a Bearer token here if required by the target API.

License

This project is licensed under the MIT License. See the LICENSE file for details.

Author

• ks7-karem