Shulou(Shulou.com)06/01 Report--

This article will explain in detail how to use DVGA to study and learn the security implementation of GraphQL technology. The content of the article is of high quality, so the editor shares it for you as a reference. I hope you will have a certain understanding of the relevant knowledge after reading this article.

DVGA

DVGA (Damn Vulnerable GraphQL Application) is a security learning tool for GraphQL technology for Facebook. This project contains a large number of unsafe implementations of Facebook GraphQL technology, that is, it deliberately leaves a large number of loopholes for researchers to explore and learn the security of GraphQL technology.

DVGA is an insecure implementation of GraphQL, which contains a large number of deliberately left-over vulnerabilities. It provides a secure environment to help researchers study and attack GraphQL applications, and allows developers and IT professionals to test GraphQL vulnerabilities.

DVGA contains a large number of security vulnerabilities, such as injection vulnerabilities, code execution vulnerabilities, authentication bypass vulnerabilities, denial of service vulnerabilities and so on.

Operation mode

DVGA supports two game-driven modes, novice level and expert level, which correspond to different levels of vulnerability exploitation.

Attack scenario

Denial of service: batch query attack, deep recursive query attack, resource-intensive query attack.

Information disclosure: GraphiQL API, GraphQL field suggestion, server-side request forgery.

Code execution: operating system command injection.

Injection vulnerabilities: storage cross-site scripting attacks, log sniffing, log injection, HTML injection.

Authentication bypass: GraphQL API protection bypass, GraphQL query reject list bypass.

Other: GraphQL query weak password protection, arbitrary file writing, path traversal.

Tool requirements

The proper operation of DVGA requires the support of the following Python 3 code bases:

Python3

Flask

Flask-SQLAlchemy

Graphene

Graphene-SQLAlchemy

Tool installation Docker

First, clone the project source code locally using the following command:

Git clone git@github.com:dolevf/Damn-Vulnerable-GraphQL-Application.git & & cd Damn-Vulnerable-GraphQL-Application

Use the following command to build a Docker image:

Docker build-t dvga.

Next, create a container by mirroring:

Docker run-t-p 5000UR 5000-e WEB_HOST=0.0.0.0 dvga

After the creation is completed, access the address http://localhost:5000 in the browser to use DVGA.

Note that if you need to bind the application to a special port, such as 8080, you can use the following parameters:

-e WEB_PORT=8080Docker Hub

Use the following command to pull the Docker image from Docker Hub:

Docker pull dolevf/dvga

Use an image to create a container:

Docker run-t-p 5000UR 5000-e WEB_HOST=0.0.0.0 dolevf/dvga

After the creation is completed, access the address http://localhost:5000 in the browser to use DVGA.

Server side

At the command line terminal, change to the / opt directory:

Cd / opt/

Clone the project source code locally using the following command:

Git clone git@github.com:dolevf/Damn-Vulnerable-GraphQL-Application.git & & cd Damn-Vulnerable-GraphQL-Application

Install dependent components:

Pip3 install-r requirements.txt

Run the application:

Python3 app.py

After running, access the address http://localhost:5000 in the browser to use DVGA.

Screenshot of tool running

License agreement

The development and release of this project follows the MIT open source license agreement.

On how to use DVGA to study and learn GraphQL technology security implementation is shared here, I hope the above content can be of some help to you, can learn more knowledge. If you think the article is good, you can share it for more people to see.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.