A spongebob-themed vulnerable web app for learning Cypher Query Injection.

• Vulnerable NodeJS Web App at http://localhost:3030
• Redis Graph database w/ spongebob data
• Neo4J database w/ spongebob data
• Swagger at port http://localhost:8888
• Postman collection(s)

• To learn Cypher Query injections
• To apply the knowledge in Bug Bounty
• To protect against those injections in your apps
• To profit.

docker-compose up

docker-compose up web neo4j redisgraph swagger

The web app will run at http://localhost:3030 and will listen to your HTTP requests.
See your logs for more information.

Try it! http://localhost:8888

• RedisGraph-postman
• Neo4J-postman

{DB} - replace with neo4j or redisgraph

Try to find an injection.
Hint: URL encode your query params. 2nd Hint: See postman collections :)

• You might have to enable your directory to be discoverable by Docker volumes. See https://docs.docker.com/desktop/mac/#file-sharing
• Verify if that's the issue by accessing the swagger at http://locallhost:8888. Couldn't access it? Probable it's the same volume issue. See docker's link above.

Remember to URL encode your parameter since it's a URL param.

• Did you get Connection refused error when trying to start the docker?
• If so - add the --force-recreate flag when you run like this:

docker-compose up --force-recreate

• Still getting the same issue? Try to clean/flush docker data in your host and run again

This app is based on this open source project I found

This app is a playground for the research I presented here
You can see the actual slides I made for BSidesTLV 2022 talk here