/VulnerableApp

OWASP VulnerableApp Project: For Security Enthusiasts by Security Enthusiasts.

Primary LanguageJavaApache License 2.0Apache-2.0

OWASP VulnerableApp OWASP VulnerableApp

OWASP Incubator License Java CI with Gradle PRs Welcome

As Web Applications are becoming popular these days, there comes a dire need to secure them. Although there are several Vulnerability Scanning Tools, however while developing these tools, developers need to test them. Moreover, they also need to know how well is the Vulnerability Scanning tool performing. As of now, there are little or no such vulnerable applications existing for testing such tools. There are Deliberately Vulnerable Applications existing in the market but they are not written with such an intent and hence lag extensibility, e.g. adding new vulnerabilities is quite difficult. Hence, the developers resort to writing their own vulnerable applications, which usually causes productivity loss and the pain to rework.

VulnerableApp is built keeping these factors in mind. This project is scalable, extensible, easier to integrate and easier to learn. As solving the above issue requires addition of various vulnerabilities, hence it becomes a very good platform to learn various security vulnerabilities.

Owasp Vulnerable Graphic Representation

Future Goal

Going further, this application might becomes a database for vulnerabilities. Hence, in future, it can be used for hosting CTFs and can also become a compliance/benchmark for Vulnerability Scanning tools.

Project Setup

Setup Guide

As we are moving towards the goal of Distributed VulnerableApplication so if you are downloading latest code or you are accessing unreleased docker image please use following url http://<base-url>:9090/VulnerableApp

Technologies used

  • Java8
  • Spring Boot
  • Vanilla Javascript

Note: we are not limited to these technologies and if required, open to expand to other technologies.

Currently handled Vulnerability types

  1. JWT Vulnerability
  2. Command Injection
  3. File Upload Vulnerability
  4. Path Traversal Vulnerability
  5. SQL Injection
    1. Error Based SQLi
    2. Union Based SQLi
    3. Blind SQLi
  6. XSS
    1. Persistent XSS
    2. Reflected XSS
  7. XXE
  8. Open Redirect
    1. Http 3xx Status code based

Contributing to Project

Contributing to open source is always good from learning perspective as open source is the community to collaborate and grow together.

We really appreciate contributions to this project. As this project is in it's initial phase, we have not set any guidelines. So, feel free to shoot a mail at karan.sasan@owasp.org or raise an issue and we will try our best to onboard you to this project. If you are already onboarded, we actively welcome your Pull Requests. Visit Design Documentation for internal implementation details.

You can also raise an issue, in case you are looking for learning some kind of vulnerability which is not present in VulnerableApp. We will try to add that vulnerability ASAP!

Documentation in other languages

  1. Russian
  2. Chinese
  3. Hindi
  4. Punjabi

Contact

Please raise an issue or send an email to karan.sasan@owasp.org for any queries. We will try to resolve the issues ASAP.

Other details

  1. Documentation
  2. Owasp VulnerableApp
  3. Overview Video

Blogs

  1. Overview of Owasp-VulnerableApp - Medium article
  2. Overview of Owasp-VulnerableApp - Blogspot post