Ecosyste.ms: Awesome

An open API service indexing awesome lists of open source software.

Awesome Lists | Featured Topics | Projects

https://github.com/dolevf/Damn-Vulnerable-GraphQL-Application

Damn Vulnerable GraphQL Application is an intentionally vulnerable GraphQL service implementation designed for learning about and practising GraphQL Security.
https://github.com/dolevf/Damn-Vulnerable-GraphQL-Application

damn-vulnerable damn-vulnerable-web-application exploitation graphql graphql-security penetration-testing security vulnerability

Last synced: about 1 month ago
JSON representation

Damn Vulnerable GraphQL Application is an intentionally vulnerable GraphQL service implementation designed for learning about and practising GraphQL Security.

Host: GitHub
URL: https://github.com/dolevf/Damn-Vulnerable-GraphQL-Application
Owner: dolevf
License: mit
Created: 2021-02-03T21:04:27.000Z (almost 4 years ago)
Default Branch: master
Last Pushed: 2024-01-14T01:59:04.000Z (11 months ago)
Last Synced: 2024-10-15T05:21:02.374Z (about 2 months ago)
Topics: damn-vulnerable, damn-vulnerable-web-application, exploitation, graphql, graphql-security, penetration-testing, security, vulnerability
Language: JavaScript
Homepage:
Size: 3.09 MB
Stars: 1,497
Watchers: 27
Forks: 299
Open Issues: 2
Metadata Files:
- Readme: README.md
- License: LICENSE.md

Awesome Lists containing this project

awesome-sites-to-test-on - Damn Vulnerable GraphQL Application
awesome-vulnerable-apps - Damn-Vulnerable-GraphQL-Application - Damn Vulnerable GraphQL Application is an intentionally vulnerable implementation of Facebook's GraphQL technology, to learn and practice GraphQL Security. (Uncategorized / Firmware)
awesome-graphql-security - Damn Vulnerable GraphQL Application - Damn Vulnerable GraphQL Application is an intentionally vulnerable implementation of Facebook's GraphQL technology, to learn and practice GraphQL Security. (Offensive Security / Vulnerable Applications)
awesome-api-security - Damn Vulnerable GraphQL Application
awesome-hacking-lists - dolevf/Damn-Vulnerable-GraphQL-Application - Damn Vulnerable GraphQL Application is an intentionally vulnerable GraphQL service implementation designed for learning about and practising GraphQL Security. (JavaScript)

README

        # Damn Vulnerable GraphQL Application

Damn Vulnerable GraphQL Application is an intentionally vulnerable implementation of Facebook's GraphQL technology, to learn and practice GraphQL Security.



  



# Table of Contents

* [About DVGA](#about)

* [Operation Modes](#operation-modes)

* [Scenarios](#scenarios)

* [Prerequisites](#prerequisites)

* [Installation](#installation)

  * [Installation - Docker](#docker)

  * [Installation - Docker Registry](#docker-registry)

  * [Installation - Server](#server)

* [Screenshots](#screenshots)

* [Maintainers](#maintainers)

* [Contributors](#contributors)

* [Mentions](#mentions)

* [Disclaimer](#disclaimer)

* [License](#license)

# About DVGA

Damn Vulnerable GraphQL is a deliberately weak and insecure implementation of GraphQL that provides a safe environment to attack a GraphQL application, allowing developers and IT professionals to test for vulnerabilities.

## DVGA Operation Support

- Queries

- Mutations

- Subscriptions

DVGA has numerous flaws, such as Injections, Code Executions, Bypasses, Denial of Service, and more. See the full list under the [Scenarios](#scenarios) section. A public [Postman collection](https://www.postman.com/devrel/workspace/ab3d0551-b65d-4588-b464-1a317e8d7e98/collection/14270212-b5875c90-d36e-43f4-8bd7-2c81b556245d?action=share&creator=14270212) is also available to replay solutions to the challenges. You can import the collection by clicking on the Run in Postman button below.

[![Run in Postman](https://run.pstmn.io/button.svg)](https://god.gw.postman.com/run-collection/14270212-b5875c90-d36e-43f4-8bd7-2c81b556245d?action=collection%2Ffork&collection-url=entityId%3D14270212-b5875c90-d36e-43f4-8bd7-2c81b556245d%26entityType%3Dcollection%26workspaceId%3Dab3d0551-b65d-4588-b464-1a317e8d7e98)

# Operation Modes

DVGA supports Beginner and Expert level game modes, which will change the exploitation difficulty.

# Scenarios

* **Reconnaissance**

  * Discovering GraphQL

  * Fingerprinting GraphQL

* **Denial of Service**

  * Batch Query Attack

  * Deep Recursion Query Attack

  * Resource Intensive Query Attack

  * Field Duplication Attack

  * Aliases based Attack

* **Information Disclosure**

  * GraphQL Introspection

  * GraphiQL Interface

  * GraphQL Field Suggestions

  * Server Side Request Forgery

  * Stack Trace Errors

* **Code Execution**

  * OS Command Injection #1

  * OS Command Injection #2

* **Injection**

  * Stored Cross Site Scripting

  * Log spoofing / Log Injection

  * HTML Injection

  * SQL Injection

* **Authorization Bypass**

  * GraphQL JWT Token Forge

  * GraphQL Interface Protection Bypass

  * GraphQL Query Deny List Bypass

* **Miscellaneous**

  * GraphQL Query Weak Password Protection

  * Arbitrary File Write // Path Traversal

# Prerequisites

The following Python3 libraries are required:

* Python3 (3.6 - 3.9) (3.10 is not supported)

* Flask

* Flask-SQLAlchemy

* Flask-Sockets

* Gevent

* Graphene

* Graphene-SQLAlchemy

* Rx

See [requirements.txt](requirements.txt) for dependencies.

# Installation

## Docker

### Clone the repository

`git clone https://github.com/dolevf/Damn-Vulnerable-GraphQL-Application.git && cd Damn-Vulnerable-GraphQL-Application`

### Build the Docker image

`docker build -t dvga .`

**Note:** If you are using an ARM-based Mac, use the dedicated Dockerfile.arm64 file:

`docker build -t dvga -f Dockerfile.arm64 .`

### Create a container from the image

`docker run -d -t -p 5013:5013 -e WEB_HOST=0.0.0.0 --name dvga dvga`

In your browser, navigate to http://localhost:5013

Note: if you need the application to bind on a specific port (e.g. 8080), use **-e WEB_PORT=8080**.

## Docker Registry

### Pull the docker image from Docker Hub

`docker pull dolevf/dvga`

Docker Hub image: [dolevf/dvga](https://hub.docker.com/r/dolevf/dvga)

### Create a container from the image

`docker run -t -p 5013:5013 -e WEB_HOST=0.0.0.0 dolevf/dvga`

In your browser, navigate to http://localhost:5013

## Server

**Note**: Python 3.10 is **not supported** yet!

### Navigate to /opt

`cd /opt/`

### Clone the repository

`git clone [email protected]:dolevf/Damn-Vulnerable-GraphQL-Application.git && cd Damn-Vulnerable-GraphQL-Application`

### Install Requirements

`pip3 install -r requirements.txt`

### Run application

`python3 app.py`

In your browser, navigate to http://localhost:5013.

# Screenshots

![DVGA](https://github.com/dolevf/Damn-Vulnerable-GraphQL-Application/blob/master/static/screenshots/index.png)

![DVGA](https://github.com/dolevf/Damn-Vulnerable-GraphQL-Application/blob/master/static/screenshots/solution.png)

![DVGA](https://github.com/dolevf/Damn-Vulnerable-GraphQL-Application/blob/master/static/screenshots/pastes.png)

![DVGA](https://github.com/dolevf/Damn-Vulnerable-GraphQL-Application/blob/master/static/screenshots/create.png)

# Maintainers

* [Dolev Farhi](https://github.com/dolevf)

* [Connor McKinnon](https://github.com/connormckinnon93)

* [Nick Aleks](https://github.com/nicholasaleks)

# Contributors

A big Thank You to the kind people who helped make DVGA better:

 * [Halfluke](https://github.com/halfluke)

# Mentions

* [Black Hat GraphQL - No Starch Press](https://blackhatgraphql.com)

* [OWASP Vulnerable Web Applications Directory](https://owasp.org/www-project-vulnerable-web-applications-directory/)

* [GraphQL Weekly](https://www.graphqlweekly.com/issues/221/#content)

* [DZone API Security Weekly](https://dzone.com/articles/api-security-weekly-issue-121)

* [KitPloit](https://www.kitploit.com/2021/02/damn-vulnerable-graphql-application.html)

* [tl;dr sec #72](https://tldrsec.com/blog/tldr-sec-072/)

* [Intigriti Blog](https://blog.intigriti.com/2021/02/17/bug-bytes-110-scope-based-recon-finding-more-idors-how-to-hack-sharepoint/)

* [STÖK - Bounty Thursdays #26](https://www.youtube.com/watch?v=645Tb7ySQFk)

* [Brakeing Security 2021-007](https://brakeingsecurity.com/2021-007-news-google-asking-for-oss-to-embrace-standards-insider-threat-at-yandex-vectr-discussion)

* [Yes We Hack - How to Exploit GraphQL](https://blog.yeswehack.com/yeswerhackers/how-exploit-graphql-endpoint-bug-bounty/)

* [GraphQL Editor](https://blog.graphqleditor.com/dvga)

* [GraphQL Hacking (Portuguese)](https://www.youtube.com/watch?v=4gXOerUZ7fw)

* [InQL GraphQL Scanner Demo](https://www.youtube.com/watch?v=KOCBeJmTs78)

* [H4ck3d - Security Conference 2021 (Spanish)](https://youtu.be/hg_kVoy-W1s)

* [Christina Hasternath - GraphQLConf 2021](https://www.youtube.com/watch?v=tPO1jl0tCKg)

* [Hacking APIs (Ch14) by Corey Ball - No Starch Press](https://nostarch.com/hacking-apis)

* [Hacking Simplified Part #1](https://www.youtube.com/watch?v=w0QOAacuPgQ)

* [Hacking Simplified Part #2](https://www.youtube.com/watch?v=YA-mL9Z8SNI)

* [Hacking Simplified Part #3](https://www.youtube.com/watch?v=kUTIFx8vGQs)

# Disclaimer

DVGA is highly insecure, and as such, should not be deployed on internet facing servers. By default, the application is listening on 127.0.0.1 to avoid misconfigurations.

DVGA is intentionally flawed and vulnerable, as such, it comes with no warranties. By using DVGA, you take full responsibility for using it.

# License

It is distributed under the MIT License. See LICENSE for more information.