{"id":28810111,"url":"https://github.com/mattuebel/vulnerability-example","last_synced_at":"2026-05-08T00:43:13.417Z","repository":{"id":297814132,"uuid":"997553973","full_name":"MattUebel/vulnerability-example","owner":"MattUebel","description":"Educational FastAPI application demonstrating CWE-863 authorization bypass vulnerability in document sharing with comprehensive security fixes","archived":false,"fork":false,"pushed_at":"2025-06-07T16:42:16.000Z","size":20,"stargazers_count":0,"open_issues_count":2,"forks_count":0,"subscribers_count":0,"default_branch":"main","last_synced_at":"2026-05-08T00:42:40.870Z","etag":null,"topics":["authorization","cwe-863","cybersecurity","docker","education","fastapi","owasp","python","security","vulnerability"],"latest_commit_sha":null,"homepage":null,"language":"Python","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/MattUebel.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null}},"created_at":"2025-06-06T18:18:58.000Z","updated_at":"2025-06-07T16:44:35.000Z","dependencies_parsed_at":"2025-06-07T17:29:41.673Z","dependency_job_id":null,"html_url":"https://github.com/MattUebel/vulnerability-example","commit_stats":null,"previous_names":["mattuebel/vulnerability-example"],"tags_count":0,"template":false,"template_full_name":null,"purl":"pkg:github/MattUebel/vulnerability-example","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/MattUebel%2Fvulnerability-example","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/MattUebel%2Fvulnerability-example/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/MattUebel%2Fvulnerability-example/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/MattUebel%2Fvulnerability-example/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/MattUebel","download_url":"https://codeload.github.com/MattUebel/vulnerability-example/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/MattUebel%2Fvulnerability-example/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":32762284,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-05-07T02:14:30.463Z","status":"ssl_error","status_checked_at":"2026-05-07T02:14:29.405Z","response_time":62,"last_error":"SSL_connect returned=1 errno=0 peeraddr=140.82.121.6:443 state=error: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["authorization","cwe-863","cybersecurity","docker","education","fastapi","owasp","python","security","vulnerability"],"created_at":"2025-06-18T13:43:01.689Z","updated_at":"2026-05-08T00:43:13.411Z","avatar_url":"https://github.com/MattUebel.png","language":"Python","funding_links":[],"categories":[],"sub_categories":[],"readme":"# Share Code Authorization Vulnerability\n\nA vulnerable FastAPI application demonstrating **CWE-863: Incorrect Authorization** in document sharing functionality.\n\n## 🔗 **Key Links**\n\n- **📋 [Issue #1: Security Vulnerability Report](https://github.com/MattUebel/vulnerability-example/issues/1)** - Detailed vulnerability analysis and reproduction steps\n- **🔧 [Pull Request #2: Security Fixes](https://github.com/MattUebel/vulnerability-example/pull/2)** - Comprehensive security implementation and testing\n\n## 🚨 **Vulnerability Summary**\n\n**The Problem**: Any authenticated user can use any share code to access documents they don't own.\n\n**Real-World Scenario**: \n- Alice creates a share code intended for Bob\n- Eve (an attacker) intercepts or guesses the share code\n- Eve can access Alice's confidential document using Bob's intended share code\n- The same share code can be reused multiple times\n\n**Security Classification**: \n- [CWE-863: Incorrect Authorization](https://cwe.mitre.org/data/definitions/863.html)\n- [OWASP A01:2021 – Broken Access Control](https://owasp.org/Top10/A01_2021-Broken_Access_Control/)\n- **Severity**: High\n\n## 🎯 **Quick Demonstration**\n\n```bash\n# Start the vulnerable application\ndocker compose up --build\n\n# Run the exploit demonstration\n./exploit_demo.sh\n\n# View API documentation\nopen http://localhost:8000/docs\n```\n\nThe `exploit_demo.sh` script demonstrates the complete attack scenario where Eve successfully accesses Alice's document using Bob's intended share code.\n\n## 👥 **Test Users**\n\nAll users have password `password123`:\n- **alice** - Document owner (creates share codes)\n- **bob** - Intended recipient \n- **eve** - Unauthorized attacker\n\n## 📚 **Educational Purpose**\n\nThis repository demonstrates:\n- How authorization bypass vulnerabilities occur in real applications\n- The impact of insufficient access controls in document sharing systems\n- Proper security implementation and testing practices\n\nFor detailed technical analysis, vulnerability reproduction steps, and comprehensive security fixes, see the linked issue and pull request above.\n\n---\n*This application is intentionally vulnerable for educational purposes only.*\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fmattuebel%2Fvulnerability-example","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fmattuebel%2Fvulnerability-example","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fmattuebel%2Fvulnerability-example/lists"}