Damn Vulnerable GraphQL Application

Damn Vulnerable GraphQL Application is an intentionally vulnerable implementation of Facebook's GraphQL technology, to learn and practice GraphQL Security.

DVGA

Table of Contents

About DVGA

Damn Vulnerable GraphQL is a deliberately weak and insecure implementation of GraphQL that provides a safe environment to attack a GraphQL application, allowing developers and IT professionals to test for vulnerabilities.

DVGA Operation Support

DVGA has numerous flaws, such as Injections, Code Executions, Bypasses, Denial of Service, and more. See the full list under the Scenarios section.

Operation Modes

DVGA supports Beginner and Expert level game modes, which will change the exploitation difficulty.

Scenarios

Prerequisites

The following Python3 libraries are required:

See requirements.txt for dependencies.

Installation

Docker

Clone the repository

git clone [email protected]:dolevf/Damn-Vulnerable-GraphQL-Application.git && cd Damn-Vulnerable-GraphQL-Application

Build the Docker image

docker build -t dvga .

Create a container from the image

docker run -t -p 5013:5013 -e WEB_HOST=0.0.0.0 dvga

In your browser, navigate to http://localhost:5013

Note: if you need the application to bind on a specific port (e.g. 8080), use -e WEB_PORT=8080.

Docker Registry

Pull the docker image from Docker Hub

docker pull dolevf/dvga

Create a container from the image

docker run -t -p 5013:5013 -e WEB_HOST=0.0.0.0 dolevf/dvga

In your browser, navigate to http://localhost:5013

Server

Note: Python 3.10 is not supported yet!

Navigate to /opt

cd /opt/

Clone the repository

git clone [email protected]:dolevf/Damn-Vulnerable-GraphQL-Application.git && cd Damn-Vulnerable-GraphQL-Application

Install Requirements

pip3 install -r requirements.txt

Run application

python3 app.py

In your browser, navigate to http://localhost:5013.

Screenshots

DVGA DVGA DVGA DVGA

Maintainers

Mentions

Disclaimer

DVGA is highly insecure, and as such, should not be deployed on internet facing servers. By default, the application is listening on 127.0.0.1 to avoid misconfigurations.

DVGA is intentionally flawed and vulnerable, as such, it comes with no warranties. By using DVGA, you take full responsibility for using it.

License

It is distributed under the MIT License. See LICENSE for more information.