Log in to GraphQL EditorGet started
Damn Vulnerable GraphQL Application

Michał Tyszkiewicz

6/23/2021

Damn Vulnerable GraphQL Application

Usually in these when I write about some library or app I try to highlight its strengths. Well, this time I’m going to do the complete opposite and talk about weaknesses. Rest assured it won't be some scorching review, because we’re looking at Damn Vulnerable GraphQL Application where weaknesses are completely intentional and exploiting them is the whole point.

The Why and the How

As for why it's fairly obvious, as GraphQL continues to grow and become more popular so too do the concerns about its vulnerabilities. After all, if you want to use it for your app you probably want it to be secure. So yes Damn Vulnerable GraphQL Application is full of weaknesses by design, it's meant to test GraphQL’s safety against various attacks. Let’s look at these types of attacks (or scenarios) you can try out:

Denial of Service

  • Batch Query Attack
  • Deep Recursion Query Attack
  • Resource Intensive Query Attack
  • Field Duplication Attack
  • Aliases based Attack

Information Disclosure

  • GraphQL Field Suggestions
  • GraphQL Introspection
  • GraphiQL Interface
  • GraphQL Field Suggestions
  • Server Side Request Forgery

Code Execution

  • OS Command Injection #1
  • OS Command Injection #2

Injection

  • Stored Cross-Site Scripting
  • Log spoofing / Log injection
  • HTML Injection

Authorization Bypass

  • GraphQL Interface Protection Bypass
  • GraphQL Query Deny List Bypass

Other

  • GraphQL Query Weak Password Protection
  • Arbitrary File Write / Path Traversal

DVGA

Source: github.com/dolevf/Damn-Vulnerable-GraphQL-Application

Safe and sound

So as you can see it provides you with a bunch of attacks you can try out against GraphQL using some pretty well known methods from DoS to directory traversal attack. It's safe because by default the application is listening on 127.0.0.1 (ie. localhost) so you don't have to be afraid someone can actually attack your app. You can change that, but because of its vulnerabilities opening it up to the internet is not advisable. On the technical side DVGA also has two operation modes, Beginner and Expert, which change the exploitation difficulty. As far as requirements go you will need some Python3 libraries for it to actually work:

  • Python3,
  • Flask,
  • Flask-SQLAlchemy,
  • Graphene and Graphene-SQLAlchemy.

...and also fun!

At first glance it might look like something for security experts, but it's actually pretty fun to just try and poke around looking for holes. There’s no risk involved so you can actually just have some fun while learning a thing or two about the various types of vulnerabilities and attacks. So if you’re interested in app security in general or just always wanted to play hacker for a bit definitely give DVGA a spin.

Check out our other blogposts

Unlocking the Power of React 19
Tomasz Gajda
Tomasz Gajda
Unlocking the Power of React 19
1 min read
about 1 month ago
Zeus update - GraphQL spread operator
Michał Tyszkiewicz
Michał Tyszkiewicz
Zeus update - GraphQL spread operator
1 min read
2 months ago
What is GraphQL Zeus?
Michał Tyszkiewicz
Michał Tyszkiewicz
What is GraphQL Zeus?
1 min read
2 months ago

Ready for take-off?

Elevate your work with our editor that combines world-class visual graph, documentation and API console

Get Started with GraphQL Editor