{"id":20608545,"url":"https://github.com/logicalhacking/dvgm","last_synced_at":"2025-08-10T23:43:18.700Z","repository":{"id":95337543,"uuid":"145705280","full_name":"logicalhacking/DVGM","owner":"logicalhacking","description":"Vulnerable Grade Management System","archived":false,"fork":false,"pushed_at":"2024-09-07T17:14:18.000Z","size":98,"stargazers_count":3,"open_issues_count":0,"forks_count":9,"subscribers_count":2,"default_branch":"master","last_synced_at":"2025-04-15T04:34:50.474Z","etag":null,"topics":["application-security","software-security","vulnerability","vulnerable-application"],"latest_commit_sha":null,"homepage":null,"language":"Ruby","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"gpl-3.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/logicalhacking.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null}},"created_at":"2018-08-22T12:21:01.000Z","updated_at":"2024-09-07T17:14:21.000Z","dependencies_parsed_at":"2025-04-15T04:27:16.447Z","dependency_job_id":"282ecb6c-9261-4b10-99b2-4a1dde689be9","html_url":"https://github.com/logicalhacking/DVGM","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"purl":"pkg:github/logicalhacking/DVGM","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/logicalhacking%2FDVGM","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/logicalhacking%2FDVGM/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/logicalhacking%2FDVGM/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/logicalhacking%2FDVGM/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/logicalhacking","download_url":"https://codeload.github.com/logicalhacking/DVGM/tar.gz/refs/heads/master","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/logicalhacking%2FDVGM/sbom","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":266236668,"owners_count":23897221,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["application-security","software-security","vulnerability","vulnerable-application"],"created_at":"2024-11-16T10:10:59.881Z","updated_at":"2025-07-21T04:05:51.810Z","avatar_url":"https://github.com/logicalhacking.png","language":"Ruby","readme":"# Damn Vulnerable Grade Management (DVGM) - An Intentionally Vulnerable Rails Application\n\nDamn Vulnerable Grade Management is an **intentionally vulnerable** grade\nmanagement application that can be used for teaching *security testing* and\n*security programming*. It aims to be a small application with a realistic use\ncase that contains common vulnerabilities, making it a good target to get\nstarted with automatic security testing tools.\n\n## Known Vulnerabilities\n\nDVGM contains (at least) the following vulnerabilities:\n\n* SQL Injection\n* Cross-Site Scripting (XSS)\n* DOM Based XSS / Client Side XSS\n* Missing server-side input validation\n* Insecure HTTP Headers\n* Vulnerable dependencies\n\n## Suggested Static and Dynamic Tools\n\nWe have tried many different tools to automatically find the vulnerabilities,\nand found the following tools to work best for this kind of application. While\nnone of them finds all contained vulnerabilities, together they cover a\nreasonable amount:\n\n* [arachni (1.5.1)](https://github.com/Arachni/arachni)\n* [zaproxy (OSWASP ZAP, 2.7.0)](https://github.com/zaproxy/zaproxy)\n* [brakeman](https://github.com/presidentbeef/brakeman)\n\n## Application Scenario\n\nDamn Vulnerable Grade Management implements a simplistic system for managing\nuniversity grades. Students can upload assignments (pdf), view their grades for\ntheir assignments and lectures, download their grades as reports, and add\ncomments to the grades which can be viewed by lecturers. The application knows\nthree roles: *admins*, *lecturers*, and *students*.\n\n* *Admins* can create new students, lecturers, and other admins. Admins can\n  create new lectures, held by any lecturer. Admins can also create, view, and\n  edit new grades for all lectures and students and can create, view, and edit\n  comments.\n* *Lecturers* can create new students. They can also create new lectures that\n  are being held by them. Lecturers can can view grades for all students, but\n  only enter new grades for their own students. Lecturers can see comments for\n  all grades, but can not change any.\n* *Students* can upload assignments (pdf). They can also view and comment on\n  their grades for their assignments and overall lectures. For their\n  convenience, they have the ability to filter their grade list by a lecturer\n  name.\n* All roles are able to log into the system. They can also reset their password\n  by providing the answer to their chosen security question.\n\nYou are Peter, a student and you can log in with `peter` as username and\n`football` as password. Try and see how much information/control you can gain!\n\n## Setup\n\n### Dependencies\n\n* Ruby 3.1 (and Raild 7) and [bundler](https://github.com/bundler/bundler)\n\n### Checkout\n\nThe repository can be cloned as usual:\n\n``` sh\ngit clone https://git.logicalhacking.com/BrowserSecurity/DVGM.git\n```\n\nNote, if you authorized to access the confidential solutions of the\nexercises for DVGM, you can obtain them by executing\n\n``` sh\ngit submodule update --init --recursive\n```\n\n### Installation\n\nAfter cloning the repository, install the dependencies; `bundle` will install\nall dependencies automatically into a project-local directory:\n\n```bash\ncd DVGM\nbundle install --path vendor/bundle\nbundle config set --local path 'vendor/bundle'\nRAILS_ENV=development bin/rake db:populate\nRAILS_ENV=production bin/rake db:populate\n```\n\n### Starting the server\n\nTo make exploration of the app a bit easier, we run DVGM in development mode.\nThis means that\n\n* on errors, rails will return a detailed debug page, and\n* changed source files will automatically be picked up, without needing to\n  restart the server (useful for seeing if your fixes work).\n\nNow, start the server:\n\n```bash\nbin/rails server\n```\n\nNow, open your browser, go to \u003chttp://localhost:3000\u003e, and start exploring!\n\n## Team\n\n* [Achim D. Brucker](https://www.brucker.ch/)\n* [Michael Herzberg](https://www.mherzberg.de/)\n* [Sakine Yalman](http://emps.exeter.ac.uk/computer-science/staff/sy359)\n\n## License\n\nThis project is licensed under the GPL 3.0 (or any later version).\n\nSPDX-License-Identifier: GPL-3.0-or-later\n\n## Master Repository\n\nThe master git repository for this project is hosted by the [Software\nAssurance \u0026 Security Research Team](https://logicalhacking.com) at\n\u003chttps://git.logicalhacking.com/BrowserSecurity/DVGM\u003e.\n","funding_links":[],"categories":[],"sub_categories":[],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Flogicalhacking%2Fdvgm","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Flogicalhacking%2Fdvgm","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Flogicalhacking%2Fdvgm/lists"}