{"id":28495426,"url":"https://github.com/aasaam/vulnerable-application","last_synced_at":"2025-07-23T08:07:19.988Z","repository":{"id":98710073,"uuid":"293575970","full_name":"aasaam/vulnerable-application","owner":"aasaam","description":"Vulnerable application is test case study for check protection mechanism.","archived":false,"fork":false,"pushed_at":"2022-01-25T15:59:18.000Z","size":89,"stargazers_count":3,"open_issues_count":1,"forks_count":0,"subscribers_count":1,"default_branch":"master","last_synced_at":"2025-07-02T08:42:21.217Z","etag":null,"topics":["security-vulnerability","sql-injection","testing","xss-vulnerability"],"latest_commit_sha":null,"homepage":"","language":"PHP","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/aasaam.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null}},"created_at":"2020-09-07T16:17:00.000Z","updated_at":"2022-01-24T02:20:08.000Z","dependencies_parsed_at":"2023-04-18T21:04:23.059Z","dependency_job_id":null,"html_url":"https://github.com/aasaam/vulnerable-application","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"purl":"pkg:github/aasaam/vulnerable-application","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/aasaam%2Fvulnerable-application","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/aasaam%2Fvulnerable-application/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/aasaam%2Fvulnerable-application/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/aasaam%2Fvulnerable-application/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/aasaam","download_url":"https://codeload.github.com/aasaam/vulnerable-application/tar.gz/refs/heads/master","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/aasaam%2Fvulnerable-application/sbom","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":266640830,"owners_count":23960809,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","status":"online","status_checked_at":"2025-07-23T02:00:09.312Z","response_time":66,"last_error":null,"robots_txt_status":null,"robots_txt_updated_at":null,"robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["security-vulnerability","sql-injection","testing","xss-vulnerability"],"created_at":"2025-06-08T11:10:32.325Z","updated_at":"2025-07-23T08:07:19.978Z","avatar_url":"https://github.com/aasaam.png","language":"PHP","funding_links":[],"categories":[],"sub_categories":[],"readme":"\u003cdiv align=\"center\"\u003e\n  \u003ch1\u003e\n    Vulnerable Application\n  \u003c/h1\u003e\n  \u003cp\u003e\n    Vulnerable application is test case study for check protection mechanism.\n  \u003c/p\u003e\n  \u003cp\u003e\n    \u003ca href=\"https://github.com/aasaam/vulnerable-application/actions/workflows/build.yml\" target=\"_blank\"\u003e\u003cimg src=\"https://github.com/aasaam/vulnerable-application/actions/workflows/build.yml/badge.svg\" alt=\"build\" /\u003e\u003c/a\u003e\n    \u003ca href=\"https://hub.docker.com/r/aasaam/vulnerable-application\" target=\"_blank\"\u003e\u003cimg src=\"https://img.shields.io/docker/image-size/aasaam/vulnerable-application?label=docker%20image\" alt=\"docker\" /\u003e\u003c/a\u003e\n  \u003c/p\u003e\n\u003c/div\u003e\n\nThis is the simple vulnerable application for testing using [sqlmap](https://github.com/sqlmapproject/sqlmap), [XSStrike](https://github.com/s0md3v/XSStrike), [testssl.sh](https://github.com/drwetter/testssl.sh) for testing the Web server, TLS, WAF rules, protection and etc...\n\nIt's use [aasaam web-server](https://github.com/aasaam/web-server) for edge waf/reverse/proxy/ssl off loader.\n\n## Run\n\n```bash\ngit clone --depth 1 https://github.com/aasaam/vulnerable-application\ncd vulnerable-application\ndocker-compose up -d\n# wait for all databases to be ready\n```\n\nYou can see app run in browser\n\n* `http://localhost:10800` Normal application\n* `http://localhost:10801` Behind aasaam web-server WAF activated\n* `https://localhost:10802` Behind aasaam web-server WAF and SSL/TLS activated\n\n## SQL Injection check\n\n```bash\ngit clone --depth 1 https://github.com/sqlmapproject/sqlmap.git tmp/sqlmap-dev\ncd tmp/sqlmap-dev\n# remove old tests result\nrm ~/.local/share/sqlmap -rf\n# no waf\npython3 ./sqlmap.py -u 'http://localhost:10800/show.php?id=1\u0026type=bXlzcWw=\u0026title=DevOps+is+important'\nrm ~/.local/share/sqlmap -rf\n# with waf\npython3 ./sqlmap.py -u 'http://localhost:10801/show.php?id=1\u0026type=bXlzcWw=\u0026title=DevOps+is+important'\nrm ~/.local/share/sqlmap -rf\n\n```\n\n## XSS Check\n\n```bash\ngit clone --depth 1 https://github.com/s0md3v/XSStrike.git tmp/XSStrike\ncd tmp/XSStrike\n# no waf\npython3 xsstrike.py --fuzzer --blind -u 'http://localhost:10800/show.php?id=1\u0026type=bXlzcWw=\u0026title=DevOps+is+important'\n# with waf\npython3 xsstrike.py --fuzzer --blind -u 'http://localhost:10801/show.php?id=1\u0026type=bXlzcWw=\u0026title=DevOps+is+important'\n```\n\n## Test SSL/TLS\n\n```bash\ngit clone --depth 1 https://github.com/drwetter/testssl.sh tmp/testssl.sh\ncp addon/ssl/ca.pem tmp/testssl.sh/ca.pem\ncd tmp/testssl.sh\n./testssl.sh --add-ca ca.pem 'https://localhost:10802'\n```\n\n## Benchmark\n\n```bash\nmkdir -p tmp/cassowary\ncp addon/ssl/ca.pem tmp/cassowary/ca.pem\ncd tmp/cassowary\nwget -O cassowary.tgz https://github.com/rogerwelin/cassowary/releases/download/v0.11.0/cassowary_0.11.0_Linux_x86_64.tar.gz\ntar -xf cassowary.tgz\n./cassowary run --ca ca.pem -c 100 -n 10000 -u 'https://localhost:10802/benchmark/upstream'\n./cassowary run --ca ca.pem -c 100 -n 10000 -u 'https://localhost:10802/benchmark/webserver'\n```\n\n\u003cdiv\u003e\n  \u003cp align=\"center\"\u003e\n    \u003ca href=\"https://aasaam.com\" title=\"aasaam software development group\"\u003e\n      \u003cimg alt=\"aasaam software development group\" width=\"64\" src=\"https://raw.githubusercontent.com/aasaam/information/master/logo/aasaam.svg\"\u003e\n    \u003c/a\u003e\n    \u003cbr /\u003e\n    aasaam software development group\n  \u003c/p\u003e\n\u003c/div\u003e\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Faasaam%2Fvulnerable-application","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Faasaam%2Fvulnerable-application","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Faasaam%2Fvulnerable-application/lists"}