GitPlanet

Cheap and reliable Node.js hosting starts at $3/month, and $1/month static HTML hosting

Created with love in Canada, visit hostnodejs.com today

Feel like to post an Ad? Learn Details
All Projects → dolevf → Damn Vulnerable Graphql Application

dolevf / Damn Vulnerable Graphql Application

Licence: mit
Damn Vulnerable GraphQL Application is an intentionally vulnerable implementation of Facebook's GraphQL technology, to learn and practice GraphQL Security.

Programming Languages

javascript
184084 projects - #8 most used programming language

Labels

securitygraphqlpenetration-testingvulnerabilityexploitation

Projects that are alternatives of or similar to Damn Vulnerable Graphql Application

TokenBreaker
JSON RSA to HMAC and None Algorithm Vulnerability POC
Stars: ✭ 51 (-91.01%)
Mutual labels:  penetration-testing, vulnerability
maalik
Feature-rich Post Exploitation Framework with Network Pivoting capabilities.
Stars: ✭ 75 (-86.77%)
Mutual labels:  penetration-testing, exploitation
PwnX.py
🏴‍☠️ Pwn misconfigured sites running ShareX custom image uploader API through chained exploit
Stars: ✭ 30 (-94.71%)
Mutual labels:  penetration-testing, vulnerability
Payloadsallthethings
A list of useful payloads and bypass for Web Application Security and Pentest/CTF
Stars: ✭ 32,909 (+5704.06%)
Mutual labels:  penetration-testing, vulnerability
Faraday
Faraday introduces a new concept - IPE (Integrated Penetration-Test Environment) a multiuser Penetration test IDE. Designed for distributing, indexing, and analyzing the data generated during a security audit.
Stars: ✭ 3,198 (+464.02%)
Mutual labels:  penetration-testing, vulnerability
exploits
Some of my public exploits
Stars: ✭ 50 (-91.18%)
Mutual labels:  vulnerability, exploitation
reconmap
Vulnerability assessment and penetration testing automation and reporting platform for teams.
Stars: ✭ 242 (-57.32%)
Mutual labels:  penetration-testing, vulnerability
Tigershark
Bilingual PhishingKit. TigerShark intergrates a vast array of various phishing tools and frameworks, from C2 servers, backdoors and delivery methods in multiple scripting languages in order to suit whatever your deployment needs may be.
Stars: ✭ 212 (-62.61%)
Mutual labels:  penetration-testing, exploitation
Writeups
This repository contains writeups for various CTFs I've participated in (Including Hack The Box).
Stars: ✭ 61 (-89.24%)
Mutual labels:  penetration-testing, exploitation
web-fuzz-wordlists
Common Web Managers Fuzz Wordlists
Stars: ✭ 137 (-75.84%)
Mutual labels:  penetration-testing, vulnerability
DevBrute-A Password Brute Forcer
DevBrute is a Password Brute Forcer, It can Brute Force almost all Social Media Accounts or Any Web Application.
Stars: ✭ 91 (-83.95%)
Mutual labels:  penetration-testing, exploitation
A Red Teamer Diaries
RedTeam/Pentest notes and experiments tested on several infrastructures related to professional engagements.
Stars: ✭ 382 (-32.63%)
Mutual labels:  penetration-testing, vulnerability
tryhackme-ctf
TryHackMe CTFs writeups, notes, drafts, scrabbles, files and solutions.
Stars: ✭ 140 (-75.31%)
Mutual labels:  penetration-testing, exploitation
PXXTF
Framework For Exploring kernel vulnerabilities, network vulnerabilities ✨
Stars: ✭ 23 (-95.94%)
Mutual labels:  penetration-testing, exploitation
Ary
Ary 是一个集成类工具,主要用于调用各种安全工具,从而形成便捷的一键式渗透。
Stars: ✭ 241 (-57.5%)
Mutual labels:  penetration-testing, vulnerability
Reconky-Automated Bash Script
Reconky is an great Content Discovery bash script for bug bounty hunters which automate lot of task and organized in the well mannered form which help them to look forward.
Stars: ✭ 167 (-70.55%)
Mutual labels:  penetration-testing, exploitation
Awesome Bbht
A bash script that will automatically install a list of bug hunting tools that I find interesting for recon, exploitation, etc. (minus burp) For Ubuntu/Debain.
Stars: ✭ 190 (-66.49%)
Mutual labels:  penetration-testing, exploitation
Fdsploit
File Inclusion & Directory Traversal fuzzing, enumeration & exploitation tool.
Stars: ✭ 199 (-64.9%)
Mutual labels:  penetration-testing, exploitation
browserrecon-php
Advanced Web Browser Fingerprinting
Stars: ✭ 29 (-94.89%)
Mutual labels:  vulnerability, exploitation
Android Kernel Exploitation
Android Kernel Exploitation
Stars: ✭ 313 (-44.8%)
Mutual labels:  vulnerability, exploitation
View All Similar Projects ➔

Damn Vulnerable GraphQL Application

Damn Vulnerable GraphQL Application is an intentionally vulnerable implementation of Facebook's GraphQL technology, to learn and practice GraphQL Security.

Table of Contents

About DVGA

Damn Vulnerable GraphQL is a deliberately weak and insecure implementation of GraphQL that provides a safe environment to attack a GraphQL application, allowing developers and IT professionals to test for vulnerabilities.

DVGA has numerous flaws, such as Injections, Code Executions, Bypasses, Denial of Service, and more. See the full list under the Scenarios section.

Operation Modes

DVGA supports Beginner and Expert level game modes, which will change the exploitation difficulty.

Scenarios

  • Denial of Service
    • Batch Query Attack
    • Deep Recursion Query Attack
    • Resource Intensive Query Attack
  • Information Disclosure
    • GraphQL Introspection
    • GraphiQL Interface
    • GraphQL Field Suggestions
    • Server Side Request Forgery
  • Code Execution
    • OS Command Injection #1
    • OS Command Injection #2
  • Injection
    • Stored Cross Site Scripting
    • Log spoofing / Log Injection
    • HTML Injection
  • Authorization Bypass
    • GraphQL Interface Protection Bypass
    • GraphQL Query Deny List Bypass
  • Miscellaneous
    • GraphQL Query Weak Password Protection
    • Arbitrary File Write // Path Traversal

Prerequisites

The following Python3 libraries are required:

  • Python3
  • Flask
  • Flask-SQLAlchemy
  • Graphene
  • Graphene-SQLAlchemy

See requirements.txt for dependencies.

Installation

Docker

Clone the repository

git clone [email protected]:dolevf/Damn-Vulnerable-GraphQL-Application.git && cd Damn-Vulnerable-GraphQL-Application

Build the Docker image

docker build -t dvga .

Create a container from the image

docker run -t -p 5000:5000 -e WEB_HOST=0.0.0.0 dvga

In your browser, navigate to http://localhost:5000

Note: if you need the application to bind on a specific port (e.g. 8080), use -e WEB_PORT=8080.

Docker Registry

Pull the docker image from Docker Hub

docker pull dolevf/dvga

Create a container from the image

docker run -t -p 5000:5000 -e WEB_HOST=0.0.0.0 dolevf/dvga

In your browser, navigate to http://localhost:5000

Server

Navigate to /opt

cd /opt/

Clone the repository

git clone [email protected]:dolevf/Damn-Vulnerable-GraphQL-Application.git && cd Damn-Vulnerable-GraphQL-Application

Install Requirements

pip3 install -r requirements.txt

Run application

python3 app.py

In your browser, navigate to http://localhost:5000.

Screenshots

DVGA DVGA DVGA DVGA

Maintainers

Contributors

A big Thank You to the kind people who helped make DVGA better:

Mentions

Disclaimer

DVGA is highly insecure, and as such, should not be deployed on internet facing servers. By default, the application is listening on 127.0.0.1 to avoid misconfigurations.

DVGA is intentionally flawed and vulnerable, as such, it comes with no warranties. By using DVGA, you take full responsibility for using it.

License

It is distributed under the MIT License. See LICENSE for more information.

Note that the project description data, including the texts, logos, images, and/or trademarks, for each open source project belongs to its rightful owner. If you wish to add or remove any projects, please contact us at [email protected].