Damn Vulnerable GraphQL Application is an intentionally vulnerable implementation of Facebookâs GraphQL technology, to learn and practice GraphQL Security.
About DVGA
Damn Vulnerable GraphQL is a deliberately weak and insecure implementation of GraphQL that provides a safe environment to attack a GraphQL application, allowing developers and IT professionals to test for vulnerabilities.
DVGA has numerous flaws, such as Injections, Code Executions, Bypasses, Denial of Service, and more. See the full list under the Scenarios section.
Operation Modes
DVGA supports Beginner and Expert level game modes, which will change the exploitation difficulty.
Scenarios
Prerequisites
The following Python3 libraries are required:
See requirements.txt for dependencies.
Installation
Docker
git clone git@github.com:dolevf/Damn-Vulnerable-GraphQL-Application.git && cd Damn-Vulnerable-GraphQL-Application
Alternatively, pull the image directly from Docker Hub: docker pull dolevf/dvga
docker build -t dvga .
docker run -t -p 5000:5000 -e WEB_HOST=0.0.0.0 dvga
In your browser, navigate to http://localhost:5000
Optionally, if you need the application to bind on a specific port or interface, use the following command: docker run -e WEB_HOST=0.0.0.0 -e WEB_PORT=8080 -t -p 8080:8080 dvga
Server
cd /opt/
git clone git@github.com:dolevf/Damn-Vulnerable-GraphQL-Application.git && cd Damn-Vulnerable-GraphQL-Application
pip3 install -r requirements.txt
python3 app.py
In your browser, navigate to http://localhost:5000.
Screenshots
Disclaimer
DVGA is highly insecure, and as such, should not be deployed on internet facing servers. By default, the application is listening on 127.0.0.1 to avoid misconfigurations. DVGA is intentionally flawed and vulnerable, as such, it comes with no warranties. By using DVGA, you take full responsibility for using it.
Introduction When it comes to cybersecurity and ethical hacking, one of the most effective ways…
Introduction In the world of cybersecurity, knowledge is power. One of the most powerful skillsets…
Introduction In the vast ocean of the internet, the most powerful tool you already have…
Pystinger is a Python-based tool that enables SOCKS4 proxying and port mapping through webshells. It…
Introduction When it comes to cybersecurity, speed and privacy are critical. Public vulnerability databases like…
Introduction When it comes to cybersecurity, speed and privacy are critical. Public vulnerability databases like…