Damn Vulnerable GraphQL Application, or DVGA, is a vulnerable GraphQL implementation. DVGA allows learning how GraphQL can be exploited as well as defended in a safe environment.
If you aren't yet familiar with GraphQL, see the GraphQL Resources section below. Otherwise, start poking around and find loopholes! There are GraphQL Implementation flaws as well as general application vulnerabilities.
You can set a "game mode" in DVGA: A beginner level or expert level by clicking on the top bar menu's cube icon and choosing the level. This is a global setting that will apply to all clients (GUI or CLI)
If you are interacting with DVGA programmatically, you can also set the game mode by passing the HTTP Request Header X-DVGA-MODE
set to either Beginner
or Expert
as values.
If the Header is not set, DVGA will default to Beginner mode or to whatever you previously set in the user interface.
DVGA's Beginner level is literally the default GraphQL implementation without any restrictions, security controls, or other protections. This is what you would get out of the box in most of the GraphQL implementations without hardening, with the addition of other custom vulnerabilities.
DVGA's Hard level is a hardened GraphQL implementation which contains a few security controls against malicious queries, such as Cost Based Analysis, Query Depth, Field De-dup checks, etc.
To learn about GraphQL, and common GraphQL weaknesses and attacks, the following resources may be beneficial:
Head over to the Solutions page to reveal the challenge answers.
Found a bug? submit an issue on GitHub.