{% extends 'partials/base.html' %} {% block header %} {% include 'partials/base_header.html' %} {% endblock %} {% block content %}
{% include 'partials/navbar.html' %}
{% if msg %}

System Message

{{msg}}

{% endif %}

Damn Vulnerable GraphQL Application


Welcome!

Damn Vulnerable GraphQL Application, or DVGA, is a vulnerable GraphQL implementation. DVGA allows learning how GraphQL can be exploited as well as defended in a safe environment.


Getting Started

If you aren't yet familiar with GraphQL, see the GraphQL Resources section below. Otherwise, start poking around and find loopholes! There are GraphQL Implementation flaws as well as general application vulnerabilities.

If you are interacting with DVGA programmatically, you can set a specific game mode (such as Beginner, or Expert) by passing the HTTP Request Header X-DVGA-MODE with either Beginner or Expert as values.

If the Header is not set, DVGA will default to Easy mode.


Difficulty Level Explanation

Beginner

DVGA's Beginner level is literally the default GraphQL implementation without any restrictions, security controls, or other protections. This is what you would get out of the box in most of the GraphQL implementations without hardening, with the addition of other custom vulnerabilities.

Hard

DVGA's Hard level is a hardened GraphQL implementation which contains a few security controls against malicious queries, such as Cost Based Analysis, Query Depth, Field De-dup checks, etc.


GraphQL Resources

To learn about GraphQL, and common GraphQL weaknesses and attacks, the following resources may be beneficial:

  Videos
  Articles

Got Stuck?

Head over to the Solutions page to reveal the challenge answers.


Bug Reporting

Found a bug? submit an issue on GitHub.

{% endblock %} {% block scripts %} {% include 'partials/base_scripts.html' %} {% endblock %}