Damn Vulnerable GraphQL Application

---

Welcome!

Damn Vulnerable GraphQL Application, or DVGA, is a vulnerable GraphQL implementation. DVGA allows learning how GraphQL can be exploited as well as defended in a safe environment.

Getting Started

If you aren't yet familiar with GraphQL, see the GraphQL Resources section below. Otherwise, start poking around and find loopholes! There are GraphQL Implementation flaws as well as general application vulnerabilities.

You can set a "game mode" in DVGA: A beginner level or expert level by clicking on the top bar menu's cube icon and choosing the level. This is a global setting that will apply to all clients (GUI or CLI)

If you are interacting with DVGA programmatically, you can also set the game mode by passing the HTTP Request Header X-DVGA-MODE set to either Beginner or Expert as values.

If the Header is not set, DVGA will default to Beginner mode or to whatever you previously set in the user interface.

Difficulty Level Explanation

Beginner

DVGA's Beginner level is literally the default GraphQL implementation without any restrictions, security controls, or other protections. This is what you would get out of the box in most of the GraphQL implementations without hardening, with the addition of other custom vulnerabilities.

Hard

DVGA's Hard level is a hardened GraphQL implementation which contains a few security controls against malicious queries, such as Cost Based Analysis, Query Depth, Field De-dup checks, etc.

GraphQL Resources

To learn about GraphQL, and common GraphQL weaknesses and attacks, the following resources may be beneficial:

  Videos

• GraphQL in 40 Minutes
• Hacking GraphQL For Beginners
• LevelUp 0x05 - REST in Peace

  Articles

• OWASP GraphQL Defense
• BishopFox Labs - Design Considerations

Got Stuck?

Head over to the Solutions page to reveal the challenge answers.

Bug Reporting

Found a bug? submit an issue on GitHub.