当前位置: 首页 > 软件库 > 大数据 > 数据查询 >

Damn-Vulnerable-GraphQL-Application

授权协议 MIT License
开发语言 Java
所属分类 大数据、 数据查询
软件类型 开源软件
地区 不详
投 递 者 邹铭
操作系统 跨平台
开源组织
适用人群 未知
 软件概览

Damn Vulnerable GraphQL Application

Damn Vulnerable GraphQL Application is an intentionally vulnerable implementation of Facebook's GraphQL technology, to learn and practice GraphQL Security.

DVGA

Table of Contents

About DVGA

Damn Vulnerable GraphQL is a deliberately weak and insecure implementation of GraphQL that provides a safe environment to attack a GraphQL application, allowing developers and IT professionals to test for vulnerabilities.

DVGA has numerous flaws, such as Injections, Code Executions, Bypasses, Denial of Service, and more. See the full list under the Scenarios section.

Operation Modes

DVGA supports Beginner and Expert level game modes, which will change the exploitation difficulty.

Scenarios

  • Reconnaissance
    • Discovering GraphQL
    • Fingerprinting GraphQL
  • Denial of Service
    • Batch Query Attack
    • Deep Recursion Query Attack
    • Resource Intensive Query Attack
    • Field Duplication Attack
    • Aliases based Attack
  • Information Disclosure
    • GraphQL Introspection
    • GraphiQL Interface
    • GraphQL Field Suggestions
    • Server Side Request Forgery
  • Code Execution
    • OS Command Injection #1
    • OS Command Injection #2
  • Injection
    • Stored Cross Site Scripting
    • Log spoofing / Log Injection
    • HTML Injection
  • Authorization Bypass
    • GraphQL Interface Protection Bypass
    • GraphQL Query Deny List Bypass
  • Miscellaneous
    • GraphQL Query Weak Password Protection
    • Arbitrary File Write // Path Traversal

Prerequisites

The following Python3 libraries are required:

  • Python3
  • Flask
  • Flask-SQLAlchemy
  • Graphene
  • Graphene-SQLAlchemy

See requirements.txt for dependencies.

Installation

Docker

Clone the repository

git clone git@github.com:dolevf/Damn-Vulnerable-GraphQL-Application.git && cd Damn-Vulnerable-GraphQL-Application

Build the Docker image

docker build -t dvga .

Create a container from the image

docker run -t -p 5000:5000 -e WEB_HOST=0.0.0.0 dvga

In your browser, navigate to http://localhost:5000

Note: if you need the application to bind on a specific port (e.g. 8080), use -e WEB_PORT=8080.

Docker Registry

Pull the docker image from Docker Hub

docker pull dolevf/dvga

Create a container from the image

docker run -t -p 5000:5000 -e WEB_HOST=0.0.0.0 dolevf/dvga

In your browser, navigate to http://localhost:5000

Server

Navigate to /opt

cd /opt/

Clone the repository

git clone git@github.com:dolevf/Damn-Vulnerable-GraphQL-Application.git && cd Damn-Vulnerable-GraphQL-Application

Install Requirements

pip3 install -r requirements.txt

Run application

python3 app.py

In your browser, navigate to http://localhost:5000.

Screenshots

DVGADVGADVGADVGA

Maintainers

Contributors

A big Thank You to the kind people who helped make DVGA better:

Mentions

Disclaimer

DVGA is highly insecure, and as such, should not be deployed on internet facing servers. By default, the application is listening on 127.0.0.1 to avoid misconfigurations.

DVGA is intentionally flawed and vulnerable, as such, it comes with no warranties. By using DVGA, you take full responsibility for using it.

License

It is distributed under the MIT License. See LICENSE for more information.

 相关资料
  • 基于jQuery开发,能够从IFRAME元素创建一个Rich Text Editor。提供了所有基本的Rich Text功能,可设置文本编辑区大小,Ajax上传图片等。 

  • 快速开始 GraphQL 是一种用于 API 的查询语言。这是 GraphQL 和 REST 之间一个很好的比较 (译者注: GraphQL 替代 REST 是必然趋势)。在这组文章中, 我们不会解释什幺是 GraphQL, 而是演示如何使用 @nestjs/GraphQL 模块。 GraphQLModule 只不过是 Apollo 服务器的包装器。我们没有造轮子, 而是提供一个现成的模块, 这让

  • GraphQL 既是一种用于 API 的查询语言也是一个满足你数据查询的运行时。 GraphQL 对你的 API 中的数据提供了一套易于理解的完整描述,使得客户端能够准确地获得它需要的数据,而且没有任何冗余,也让 API 更容易地随着时间推移而演进,还能用于构建强大的开发者工具。 向你的 API 发出一个 GraphQL 请求就能准确获得你想要的数据,不多不少。 GraphQL 查询总是返回可预测

  • Graphql editor 是一款 Graphql 的可视化编辑器和 IDE,帮助用户更容易理解 GraphQL 模式,通过使用可视化块系统创建模式。GraphQL Editor 将把它们转化为代码。通过 GraphQL Editor,用户可以在不写任何代码的情况下创建可视化的图表,或者以一种很好的方式呈现其模式。 GraphQL View Code Editor View Hierarchy View

  • GraphQL CLI Help us to improve new GraphQL CLI. Check out the new structure and commands below!Feel free to contact us in Discord channel. We would love to hear your feedback. Features Helpful command

  • Fullstack GraphQL Simple Demo Application API built with Node + Express + GraphQL + Sequelize (supports MySQL, Postgres, Sqlite and MSSQL). WebApp built with React + Redux. Written in ES6 using Babel