Skip to content

Intentionaly very vulnerable API with bonus bad coding practices

Notifications You must be signed in to change notification settings

tkisason/vulnapi

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

24 Commits
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

vulnapi

Intentionaly very vulnerable API with bonus extremely bad coding practices

NOTE: This is by design a vulnerable application. It's primary use is to demonstrate bad coding practices (in python3) and in operations (docker, etc) and to show off specific vulnerabilities that are not well presented in some other projects. Another use if to have an application that can be used as a demo for various devsecops methods

DO NOT USE ANY PIECE OF THIS CODE IN PRODUCTION! Really. This code is vulnerable to remote code execution, don't leave it in the open

Current implemented vulns:

  • Couple of cases of data exposure (by triggering logic issues)
  • Mass assignment vulnerabilities
  • Broken object level autorization
  • Broken authentication
  • RCE via deserialization
  • SQL injection
  • File inclusion / path traversal
  • Server Side Template Injection

Usage:

  • docker build --tag vulnapi .
  • docker run -it --rm -p8000:8000 vulnapi
  • open http://IP_OF_HOST:8000/docs in a webbrowser.

Pull requests, especially for cool, subtle bugs or bad practices are welcome. At least FastAPI makes it easy to implement examples.

About

Intentionaly very vulnerable API with bonus bad coding practices

Resources

Security policy

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published