MCPcopy Index your code
hub / github.com/dolevf/Damn-Vulnerable-GraphQL-Application

github.com/dolevf/Damn-Vulnerable-GraphQL-Application @2.2.0

Chat with this repo
repository ↗ · DeepWiki ↗ · release 2.2.0 ↗ · + Follow
760 symbols 1,942 edges 44 files 76 documented · 10%
What it actually does AI analysis from the code graph — generated when you open this
loading…
README

Damn Vulnerable GraphQL Application

Damn Vulnerable GraphQL Application is an intentionally vulnerable implementation of Facebook's GraphQL technology, to learn and practice GraphQL Security.

DVGA

Table of Contents

About DVGA

Damn Vulnerable GraphQL is a deliberately weak and insecure implementation of GraphQL that provides a safe environment to attack a GraphQL application, allowing developers and IT professionals to test for vulnerabilities.

DVGA Operation Support

  • Queries
  • Mutations
  • Subscriptions

DVGA has numerous flaws, such as Injections, Code Executions, Bypasses, Denial of Service, and more. See the full list under the Scenarios section. A public Postman collection is also available to replay solutions to the challenges. You can import the collection by clicking on the Run in Postman button below.

Run in Postman

Operation Modes

DVGA supports Beginner and Expert level game modes, which will change the exploitation difficulty.

Scenarios

  • Reconnaissance
  • Discovering GraphQL
  • Fingerprinting GraphQL
  • Denial of Service
  • Batch Query Attack
  • Deep Recursion Query Attack
  • Resource Intensive Query Attack
  • Field Duplication Attack
  • Aliases based Attack
  • Information Disclosure
  • GraphQL Introspection
  • GraphiQL Interface
  • GraphQL Field Suggestions
  • Server Side Request Forgery
  • Stack Trace Errors
  • Code Execution
  • OS Command Injection #1
  • OS Command Injection #2
  • Injection
  • Stored Cross Site Scripting
  • Log spoofing / Log Injection
  • HTML Injection
  • SQL Injection
  • Authorization Bypass
  • GraphQL JWT Token Forge
  • GraphQL Interface Protection Bypass
  • GraphQL Query Deny List Bypass
  • Miscellaneous
  • GraphQL Query Weak Password Protection
  • Arbitrary File Write // Path Traversal

Prerequisites

The following Python3 libraries are required:

  • Python3 (3.6 - 3.10)
  • Flask
  • Flask-SQLAlchemy
  • Flask-Sockets
  • Gevent
  • Graphene
  • Graphene-SQLAlchemy
  • Rx

See requirements.txt for dependencies.

Installation

Docker

Clone the repository

git clone https://github.com/dolevf/Damn-Vulnerable-GraphQL-Application.git && cd Damn-Vulnerable-GraphQL-Application

Build the Docker image

docker build -t dvga .

Create a container from the image

docker run -d -t -p 5013:5013 -e WEB_HOST=0.0.0.0 --name dvga dvga

In your browser, navigate to http://localhost:5013

Note: if you need the application to bind on a specific port (e.g. 8080), use -e WEB_PORT=8080.

Docker Registry

Pull the docker image from Docker Hub

docker pull dolevf/dvga

Docker Hub image: dolevf/dvga

Create a container from the image

docker run -t -p 5013:5013 -e WEB_HOST=0.0.0.0 dolevf/dvga

In your browser, navigate to http://localhost:5013

Server

Navigate to /opt

cd /opt/

Clone the repository

git clone git@github.com:dolevf/Damn-Vulnerable-GraphQL-Application.git && cd Damn-Vulnerable-GraphQL-Application

Install Requirements

pip3 install -r requirements.txt

Run application

python3 app.py

In your browser, navigate to http://localhost:5013.

Screenshots

DVGA DVGA DVGA DVGA

Maintainers

Contributors

A big Thank You to the kind people who helped make DVGA better: * Halfluke

Mentions

Disclaimer

DVGA is highly insecure, and as such, should not be deployed on internet facing servers. By default, the application is listening on 127.0.0.1 to avoid misconfigurations.

DVGA is intentionally flawed and vulnerable, as such, it comes with no warranties. By using DVGA, you take full responsibility for using it.

License

It is distributed under the MIT License. See LICENSE for more information.

Core symbols most depended-on inside this repo

graph_query
called by 50
tests/common.py
isFunction
called by 40
static/jquery/jquery.js
jQuery
called by 39
static/jquery/jquery.js
jQuery
called by 35
static/jquery/jquery.slim.js
isFunction
called by 29
static/jquery/jquery.slim.js
_extends
called by 20
static/bootstrap/js/bootstrap.js
_extends
called by 20
static/bootstrap/js/bootstrap.bundle.js
create_audit_entry
called by 20
core/models.py

Shape

Function 670
Class 42
Method 36
Route 12

Languages

TypeScript74%
Python26%

Modules by API surface

static/jquery/jquery.js112 symbols
static/bootstrap/js/bootstrap.bundle.js97 symbols
static/jquery/jquery.slim.js94 symbols
static/jquery/jquery.min.js83 symbols
core/views.py81 symbols
static/jquery/jquery.slim.min.js72 symbols
static/bootstrap/js/bootstrap.bundle.min.js54 symbols
static/bootstrap/js/bootstrap.js29 symbols
tests/test_vulnerabilities.py14 symbols
tests/test_queries.py14 symbols
core/middleware.py12 symbols
static/bootstrap/js/bootstrap.min.js11 symbols

For agents

$ claude mcp add Damn-Vulnerable-GraphQL-Application \
  -- python -m otcore.mcp_server <graph>

⬇ download graph artifact