Damn Vulnerable GraphQL Application is an intentionally vulnerable implementation of Facebook's GraphQL technology, to learn and practice GraphQL Security.
Damn Vulnerable GraphQL is a deliberately weak and insecure implementation of GraphQL that provides a safe environment to attack a GraphQL application, allowing developers and IT professionals to test for vulnerabilities.
DVGA has numerous flaws, such as Injections, Code Executions, Bypasses, Denial of Service, and more. See the full list under the Scenarios section.
DVGA supports Beginner and Expert level game modes, which will change the exploitation difficulty.
The following Python3 libraries are required:
See requirements.txt for dependencies.
git clone [email protected]:dolevf/Damn-Vulnerable-GraphQL-Application.git && cd Damn-Vulnerable-GraphQL-Application
docker build -t dvga .
docker run -t -p 5013:5013 -e WEB_HOST=0.0.0.0 dvga
In your browser, navigate to http://localhost:5013
Note: if you need the application to bind on a specific port (e.g. 8080), use -e WEB_PORT=8080.
docker pull dolevf/dvga
docker run -t -p 5013:5013 -e WEB_HOST=0.0.0.0 dolevf/dvga
In your browser, navigate to http://localhost:5013
Note: Python 3.10 is not supported yet!
cd /opt/
git clone [email protected]:dolevf/Damn-Vulnerable-GraphQL-Application.git && cd Damn-Vulnerable-GraphQL-Application
pip3 install -r requirements.txt
python3 app.py
In your browser, navigate to http://localhost:5013.
A big Thank You to the kind people who helped make DVGA better:
DVGA is highly insecure, and as such, should not be deployed on internet facing servers. By default, the application is listening on 127.0.0.1 to avoid misconfigurations.
DVGA is intentionally flawed and vulnerable, as such, it comes with no warranties. By using DVGA, you take full responsibility for using it.
It is distributed under the MIT License. See LICENSE for more information.