{% extends 'partials/base.html' %} {% block header %} {% include 'partials/base_header.html' %} {% endblock %} {% block content %}
{{msg}}
Damn Vulnerable GraphQL Application, or DVGA, is a vulnerable GraphQL implementation. DVGA allows learning how GraphQL can be exploited as well as defended in a safe environment.
If you aren't yet familiar with GraphQL, see the GraphQL Resources section below. Otherwise, start poking around and find loopholes! There are GraphQL Implementation flaws as well as general application vulnerabilities.
If you are interacting with DVGA programmatically, you can set a specific game mode (such as Beginner, or Expert) by passing the HTTP Request Header X-DVGA-MODE
with either Beginner
or Expert
as values.
If the Header is not set, DVGA will default to Easy mode.
DVGA's Beginner level is literally the default GraphQL implementation without any restrictions, security controls, or other protections. This is what you would get out of the box in most of the GraphQL implementations without hardening, with the addition of other custom vulnerabilities.
DVGA's Hard level is a hardened GraphQL implementation which contains a few security controls against malicious queries, such as Cost Based Analysis, Query Depth, Field De-dup checks, etc.
To learn about GraphQL, and common GraphQL weaknesses and attacks, the following resources may be beneficial:
Head over to the Solutions page to reveal the challenge answers.
Found a bug? submit an issue on GitHub.