Damn Vulnerable GraphQL Application (DVGA) API Reference

About the App

Contact

https://github.com/dolevf/Damn-Vulnerable-GraphQL-Application

API Endpoints
# Lab Environment:
http://localhost:5013/graphql

Queries

audits

Response

Returns [AuditObject]

Example

Query
query Audits {
  audits {
    id
    gqloperation
    gqlquery
    timestamp
  }
}
Response
{
  "data": {
    "audits": [
      {
        "id": 4,
        "gqloperation": "xyz789",
        "gqlquery": "xyz789",
        "timestamp": "2007-12-03T10:15:30Z"
      }
    ]
  }
}
Queries

deleteAllPastes

Response

Returns a Boolean

Example

Query
query DeleteAllPastes {
  deleteAllPastes
}
Response
{"data": {"deleteAllPastes": true}}
Queries

me

Response

Returns a UserObject

Arguments
Name Description
token - String

Example

Query
query Me($token: String) {
  me(token: $token) {
    id
    username
    password
  }
}
Variables
{"token": "abc123"}
Response
{
  "data": {
    "me": {
      "id": 4,
      "username": "xyz789",
      "password": "xyz789"
    }
  }
}
Queries

paste

Response

Returns a PasteObject

Arguments
Name Description
id - Int
title - String

Example

Query
query Paste(
  $id: Int,
  $title: String
) {
  paste(
    id: $id,
    title: $title
  ) {
    id
    title
    content
    public
    userAgent
    ipAddr
    ownerId
    burn
    owner {
      id
      name
      paste {
        ...PasteObjectFragment
      }
      pastes {
        ...PasteObjectFragment
      }
    }
  }
}
Variables
{"id": 123, "title": "xyz789"}
Response
{
  "data": {
    "paste": {
      "id": "4",
      "title": "xyz789",
      "content": "abc123",
      "public": false,
      "userAgent": "xyz789",
      "ipAddr": "xyz789",
      "ownerId": 987,
      "burn": false,
      "owner": OwnerObject
    }
  }
}
Queries

pastes

Response

Returns [PasteObject]

Arguments
Name Description
public - Boolean
limit - Int
filter - String

Example

Query
query Pastes(
  $public: Boolean,
  $limit: Int,
  $filter: String
) {
  pastes(
    public: $public,
    limit: $limit,
    filter: $filter
  ) {
    id
    title
    content
    public
    userAgent
    ipAddr
    ownerId
    burn
    owner {
      id
      name
      paste {
        ...PasteObjectFragment
      }
      pastes {
        ...PasteObjectFragment
      }
    }
  }
}
Variables
{
  "public": true,
  "limit": 987,
  "filter": "abc123"
}
Response
{
  "data": {
    "pastes": [
      {
        "id": 4,
        "title": "xyz789",
        "content": "abc123",
        "public": false,
        "userAgent": "abc123",
        "ipAddr": "abc123",
        "ownerId": 987,
        "burn": true,
        "owner": OwnerObject
      }
    ]
  }
}
Queries

readAndBurn

Response

Returns a PasteObject

Arguments
Name Description
id - Int

Example

Query
query ReadAndBurn($id: Int) {
  readAndBurn(id: $id) {
    id
    title
    content
    public
    userAgent
    ipAddr
    ownerId
    burn
    owner {
      id
      name
      paste {
        ...PasteObjectFragment
      }
      pastes {
        ...PasteObjectFragment
      }
    }
  }
}
Variables
{"id": 987}
Response
{
  "data": {
    "readAndBurn": {
      "id": 4,
      "title": "abc123",
      "content": "abc123",
      "public": true,
      "userAgent": "abc123",
      "ipAddr": "abc123",
      "ownerId": 123,
      "burn": true,
      "owner": OwnerObject
    }
  }
}
Queries

systemDebug

Response

Returns a String

Arguments
Name Description
arg - String

Example

Query
query SystemDebug($arg: String) {
  systemDebug(arg: $arg)
}
Variables
{"arg": "abc123"}
Response
{"data": {"systemDebug": "abc123"}}
Queries

systemDiagnostics

Response

Returns a String

Arguments
Name Description
username - String
password - String
cmd - String

Example

Query
query SystemDiagnostics(
  $username: String,
  $password: String,
  $cmd: String
) {
  systemDiagnostics(
    username: $username,
    password: $password,
    cmd: $cmd
  )
}
Variables
{
  "username": "xyz789",
  "password": "abc123",
  "cmd": "xyz789"
}
Response
{"data": {"systemDiagnostics": "xyz789"}}
Queries

systemHealth

Response

Returns a String

Example

Query
query SystemHealth {
  systemHealth
}
Response
{"data": {"systemHealth": "xyz789"}}
Queries

systemUpdate

Response

Returns a String

Example

Query
query SystemUpdate {
  systemUpdate
}
Response
{"data": {"systemUpdate": "xyz789"}}
Queries

users

Response

Returns [UserObject]

Arguments
Name Description
id - Int

Example

Query
query Users($id: Int) {
  users(id: $id) {
    id
    username
    password
  }
}
Variables
{"id": 123}
Response
{
  "data": {
    "users": [
      {
        "id": 4,
        "username": "abc123",
        "password": "abc123"
      }
    ]
  }
}

Mutations

createPaste

Response

Returns a CreatePaste

Arguments
Name Description
burn - Boolean Default = false
content - String
public - Boolean Default = true
title - String

Example

Query
mutation CreatePaste(
  $burn: Boolean,
  $content: String,
  $public: Boolean,
  $title: String
) {
  createPaste(
    burn: $burn,
    content: $content,
    public: $public,
    title: $title
  ) {
    paste {
      id
      title
      content
      public
      userAgent
      ipAddr
      ownerId
      burn
      owner {
        ...OwnerObjectFragment
      }
    }
  }
}
Variables
{
  "burn": false,
  "content": "abc123",
  "public": true,
  "title": "xyz789"
}
Response
{"data": {"createPaste": {"paste": PasteObject}}}
Mutations

createUser

Response

Returns a CreateUser

Arguments
Name Description
userData - UserInput!

Example

Query
mutation CreateUser($userData: UserInput!) {
  createUser(userData: $userData) {
    user {
      id
      username
      password
    }
  }
}
Variables
{"userData": UserInput}
Response
{"data": {"createUser": {"user": UserObject}}}
Mutations

deletePaste

Response

Returns a DeletePaste

Arguments
Name Description
id - Int

Example

Query
mutation DeletePaste($id: Int) {
  deletePaste(id: $id) {
    result
  }
}
Variables
{"id": 987}
Response
{"data": {"deletePaste": {"result": true}}}
Mutations

editPaste

Response

Returns an EditPaste

Arguments
Name Description
content - String
id - Int
title - String

Example

Query
mutation EditPaste(
  $content: String,
  $id: Int,
  $title: String
) {
  editPaste(
    content: $content,
    id: $id,
    title: $title
  ) {
    paste {
      id
      title
      content
      public
      userAgent
      ipAddr
      ownerId
      burn
      owner {
        ...OwnerObjectFragment
      }
    }
  }
}
Variables
{
  "content": "abc123",
  "id": 123,
  "title": "abc123"
}
Response
{"data": {"editPaste": {"paste": PasteObject}}}
Mutations

importPaste

Response

Returns an ImportPaste

Arguments
Name Description
host - String!
path - String!
port - Int
scheme - String!

Example

Query
mutation ImportPaste(
  $host: String!,
  $path: String!,
  $port: Int,
  $scheme: String!
) {
  importPaste(
    host: $host,
    path: $path,
    port: $port,
    scheme: $scheme
  ) {
    result
  }
}
Variables
{
  "host": "xyz789",
  "path": "xyz789",
  "port": 987,
  "scheme": "abc123"
}
Response
{
  "data": {
    "importPaste": {"result": "xyz789"}
  }
}
Mutations

login

Response

Returns a Login

Arguments
Name Description
password - String
username - String

Example

Query
mutation Login(
  $password: String,
  $username: String
) {
  login(
    password: $password,
    username: $username
  ) {
    accessToken
    refreshToken
  }
}
Variables
{
  "password": "abc123",
  "username": "abc123"
}
Response
{
  "data": {
    "login": {
      "accessToken": "xyz789",
      "refreshToken": "xyz789"
    }
  }
}
Mutations

uploadPaste

Response

Returns an UploadPaste

Arguments
Name Description
content - String!
filename - String!

Example

Query
mutation UploadPaste(
  $content: String!,
  $filename: String!
) {
  uploadPaste(
    content: $content,
    filename: $filename
  ) {
    content
    filename
    result
  }
}
Variables
{
  "content": "xyz789",
  "filename": "abc123"
}
Response
{
  "data": {
    "uploadPaste": {
      "content": "xyz789",
      "filename": "abc123",
      "result": "abc123"
    }
  }
}

Types

AuditObject

Fields
Field Name Description
id - ID!
gqloperation - String
gqlquery - String
timestamp - DateTime
Example
{
  "id": 4,
  "gqloperation": "xyz789",
  "gqlquery": "xyz789",
  "timestamp": "2007-12-03T10:15:30Z"
}
Types

Boolean

Description

The Boolean scalar type represents true or false.

Types

CreatePaste

Fields
Field Name Description
paste - PasteObject
Example
{"paste": PasteObject}
Types

CreateUser

Fields
Field Name Description
user - UserObject
Example
{"user": UserObject}
Types

DateTime

Description

The DateTime scalar type represents a DateTime value as specified by iso8601.

Example
"2007-12-03T10:15:30Z"
Types

DeletePaste

Fields
Field Name Description
result - Boolean
Example
{"result": true}
Types

EditPaste

Fields
Field Name Description
paste - PasteObject
Example
{"paste": PasteObject}
Types

ID

Description

The ID scalar type represents a unique identifier, often used to refetch an object or as key for a cache. The ID type appears in a JSON response as a String; however, it is not intended to be human-readable. When expected as an input type, any string (such as "4") or integer (such as 4) input value will be accepted as an ID.

Example
"4"
Types

ImportPaste

Fields
Field Name Description
result - String
Example
{"result": "xyz789"}
Types

Int

Description

The Int scalar type represents non-fractional signed whole numeric values. Int can represent values between -(2^31) and 2^31 - 1.

Example
987
Types

Login

Fields
Field Name Description
accessToken - String
refreshToken - String
Example
{
  "accessToken": "xyz789",
  "refreshToken": "abc123"
}
Types

OwnerObject

Fields
Field Name Description
id - ID!
name - String
paste - [PasteObject]
pastes - [PasteObject]
Example
{
  "id": "4",
  "name": "xyz789",
  "paste": [PasteObject],
  "pastes": [PasteObject]
}
Types

PasteObject

Fields
Field Name Description
id - ID!
title - String
content - String
public - Boolean
userAgent - String
ipAddr - String
ownerId - Int
burn - Boolean
owner - OwnerObject
Example
{
  "id": 4,
  "title": "abc123",
  "content": "abc123",
  "public": true,
  "userAgent": "abc123",
  "ipAddr": "abc123",
  "ownerId": 987,
  "burn": false,
  "owner": OwnerObject
}
Types

SearchResult

Types
Union Types

PasteObject

UserObject

Example
PasteObject
Types

String

Description

The String scalar type represents textual data, represented as UTF-8 character sequences. The String type is most often used by GraphQL to represent free-form human-readable text.

Example
"xyz789"
Types

UploadPaste

Fields
Field Name Description
content - String
filename - String
result - String
Example
{
  "content": "abc123",
  "filename": "abc123",
  "result": "abc123"
}
Types

UserInput

Fields
Input Field Description
username - String!
email - String!
password - String!
Example
{
  "username": "xyz789",
  "email": "abc123",
  "password": "abc123"
}
Types

UserObject

Fields
Field Name Description
id - ID!
username - String
Arguments
capitalize - Boolean
password - String!
Example
{
  "id": "4",
  "username": "abc123",
  "password": "xyz789"
}

Subscriptions

paste

Response

Returns a PasteObject

Arguments
Name Description
id - Int
title - String

Example

Query
subscription Paste(
  $id: Int,
  $title: String
) {
  paste(
    id: $id,
    title: $title
  ) {
    id
    title
    content
    public
    userAgent
    ipAddr
    ownerId
    burn
    owner {
      id
      name
      paste {
        ...PasteObjectFragment
      }
      pastes {
        ...PasteObjectFragment
      }
    }
  }
}
Variables
{"id": 987, "title": "abc123"}
Response
{
  "data": {
    "paste": {
      "id": "4",
      "title": "xyz789",
      "content": "xyz789",
      "public": false,
      "userAgent": "xyz789",
      "ipAddr": "xyz789",
      "ownerId": 987,
      "burn": false,
      "owner": OwnerObject
    }
  }
}
Documentation by Anvil SpectaQL