As Web Applications are becoming popular these days, there comes a dire need to secure them. Although there are several Vulnerability Scanning Tools, however while developing these tools, developers need to test them. Moreover, they also need to know how well is the Vulnerability Scanning tool performing. As of now, there are little or no such vulnerable applications existing for testing such tools. There are Deliberately Vulnerable Applications existing in the market but they are not written with such an intent and hence lag extensibility, e.g. adding new vulnerabilities is quite difficult. Hence, the developers resort to writing their own vulnerable applications, which usually causes productivity loss and the pain to rework.
VulnerableApp is built keeping these factors in mind. This project is scalable, extensible, easier to integrate and easier to learn. As solving the above issue requires addition of various vulnerabilities, hence it becomes a very good platform to learn various security vulnerabilities.
Going further, this application might becomes a database for vulnerabilities. Hence, in future, it can be used for hosting CTFs and can also become a compliance/benchmark for Vulnerability Scanning tools.
As we are moving towards the goal of Distributed VulnerableApplication so if you are downloading latest code or you are accessing unreleased docker image please use following url http://<base-url>:9090/VulnerableApp
- Java8
- Spring Boot
- Vanilla Javascript
Note: we are not limited to these technologies and if required, open to expand to other technologies.
- JWT Vulnerability
- Command Injection
- File Upload Vulnerability
- Path Traversal Vulnerability
- SQL Injection
- XSS
- XXE
- Open Redirect
Contributing to open source is always good from learning perspective as open source is the community to collaborate and grow together.
We really appreciate contributions to this project. As this project is in it's initial phase, we have not set any guidelines. So, feel free to shoot a mail at karan.sasan@owasp.org or raise an issue and we will try our best to onboard you to this project. If you are already onboarded, we actively welcome your Pull Requests. Visit Design Documentation for internal implementation details.
You can also raise an issue, in case you are looking for learning some kind of vulnerability which is not present in VulnerableApp. We will try to add that vulnerability ASAP!
Please raise an issue or send an email to karan.sasan@owasp.org for any queries. We will try to resolve the issues ASAP.