Damn Vulnerable GraphQL Application

Damn Vulnerable GraphQL Application is an intentionally vulnerable implementation of Facebook’s GraphQL technology, to learn and practice GraphQL Security.

About DVGA

Damn Vulnerable GraphQL is a deliberately weak and insecure implementation of GraphQL that provides a safe environment to attack a GraphQL application, allowing developers and IT professionals to test for vulnerabilities.

DVGA has numerous flaws, such as Injections, Code Executions, Bypasses, Denial of Service, and more. See the full list under the Scenarios section.

Operation Modes

DVGA supports Beginner and Expert level game modes, which will change the exploitation difficulty.

Scenarios

  • Denial of Service
    • Batch Query Attack
    • Deep Recursion Query Attack
    • Resource Intensive Query Attack
  • Information Disclosure
    • GraphQL Introspection
    • GraphiQL Interface
    • GraphQL Field Suggestions
    • Server Side Request Forgery
  • Code Execution
    • OS Command Injection #1
    • OS Command Injection #2
  • Injection
    • Stored Cross Site Scripting
    • Log spoofing / Log Injection
    • HTML Injection
  • Authorization Bypass
    • GraphQL Interface Protection Bypass
    • GraphQL Query Deny List Bypass
  • Miscellaneous
    • GraphQL Query Weak Password Protection
    • Arbitrary File Write // Path Traversal

Prerequisites

The following Python3 libraries are required:

  • Python3
  • Flask
  • Flask-SQLAlchemy
  • Graphene
  • Graphene-SQLAlchemy

See requirements.txt for dependencies.

Installation

Docker

  • Clone the repository

git clone git@github.com:dolevf/Damn-Vulnerable-GraphQL-Application.git && cd Damn-Vulnerable-GraphQL-Application

Alternatively, pull the image directly from Docker Hub: docker pull dolevf/dvga

  • Build the Docker image

docker build -t dvga .

  • Create a container from the image

docker run -t -p 5000:5000 -e WEB_HOST=0.0.0.0 dvga

In your browser, navigate to http://localhost:5000

Optionally, if you need the application to bind on a specific port or interface, use the following command: docker run -e WEB_HOST=0.0.0.0 -e WEB_PORT=8080 -t -p 8080:8080 dvga

Server

  • Navigate to /opt

cd /opt/

  • Clone the repository

git clone git@github.com:dolevf/Damn-Vulnerable-GraphQL-Application.git && cd Damn-Vulnerable-GraphQL-Application

  • Install Requirements

pip3 install -r requirements.txt

  • Run Application

python3 app.py

In your browser, navigate to http://localhost:5000.

Screenshots

Disclaimer

DVGA is highly insecure, and as such, should not be deployed on internet facing servers. By default, the application is listening on 127.0.0.1 to avoid misconfigurations. DVGA is intentionally flawed and vulnerable, as such, it comes with no warranties. By using DVGA, you take full responsibility for using it.

Download
R K

Share
Published by
R K
Tags: GraphQLVulnerable
4 years ago

Recent Posts

Starship : Revolutionizing Terminal Experiences Across Shells

Starship is a powerful, minimal, and highly customizable cross-shell prompt designed to enhance the terminal…

7 hours ago

Lemmy : A Decentralized Link Aggregator And Forum For The Fediverse

Lemmy is an innovative, open-source platform designed for link aggregation and discussion, providing a decentralized…

7 hours ago

Massive UX Improvements, Custom Disassemblers, And MSVC Support In ImHex v1.37.0

The latest release of ImHex v1.37.0 introduces a host of exciting features and improvements, enhancing…

9 hours ago

Ghauri : A Powerful SQL Injection Detection And Exploitation Tool

Ghauri is a cutting-edge, cross-platform tool designed to automate the detection and exploitation of SQL…

12 hours ago

Writing Tools : Revolutionizing The Art Of Writing

Writing tools have become indispensable for individuals looking to enhance their writing efficiency, accuracy, and…

12 hours ago

PatchWerk : A Tool For Cleaning NTDLL Syscall Stubs

PatchWerk is a proof-of-concept (PoC) tool designed to clean NTDLL syscall stubs by patching syscall…

1 day ago