{"id":22487735,"url":"https://github.com/yeswehack/vulnerable-code-snippets","last_synced_at":"2025-12-24T21:04:33.195Z","repository":{"id":63432533,"uuid":"561255356","full_name":"yeswehack/vulnerable-code-snippets","owner":"yeswehack","description":"Twitter vulnerable snippets","archived":false,"fork":false,"pushed_at":"2025-03-17T09:54:26.000Z","size":14915,"stargazers_count":1061,"open_issues_count":1,"forks_count":183,"subscribers_count":27,"default_branch":"main","last_synced_at":"2025-08-02T21:04:39.693Z","etag":null,"topics":["bugbounty","code","code-analyze","example-code","owasp","snippets","vulnerable","web-application","websecurity","worst-practices"],"latest_commit_sha":null,"homepage":"","language":"PHP","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/yeswehack.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null}},"created_at":"2022-11-03T09:48:21.000Z","updated_at":"2025-07-30T14:41:38.000Z","dependencies_parsed_at":"2024-10-18T00:42:01.008Z","dependency_job_id":"cfcc39a6-6ef0-4ac3-a822-90ac2896c31e","html_url":"https://github.com/yeswehack/vulnerable-code-snippets","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"purl":"pkg:github/yeswehack/vulnerable-code-snippets","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/yeswehack%2Fvulnerable-code-snippets","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/yeswehack%2Fvulnerable-code-snippets/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/yeswehack%2Fvulnerable-code-snippets/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/yeswehack%2Fvulnerable-code-snippets/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/yeswehack","download_url":"https://codeload.github.com/yeswehack/vulnerable-code-snippets/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/yeswehack%2Fvulnerable-code-snippets/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":28008450,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","status":"online","status_checked_at":"2025-12-24T02:00:07.193Z","response_time":83,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["bugbounty","code","code-analyze","example-code","owasp","snippets","vulnerable","web-application","websecurity","worst-practices"],"created_at":"2024-12-06T17:17:09.725Z","updated_at":"2025-12-24T21:04:33.190Z","avatar_url":"https://github.com/yeswehack.png","language":"PHP","readme":"\u003c!--\nA 'Thank you' from us / YesWeHack\nMC0tPjAvJy8qPiovLTAtLyItMS8tMS0wLS8qPjxpbWcvc3JjLyUwYW9uZXJyb3I9LyoqLy1hbGVydCgxKTtvbmVycm9yLy8+\n\nTest it:\nhttps://dojo-yeswehack.com/Playground#eyJkZXNjcmlwdGlvbiI6IldvcmtzIGluIG1vc3Qgb3V0YnJlYWsgc2VuYXJpb3MgKyBzdGFuZGFyZCBET00gWFNTLCB5dyIsInNvbHV0aW9uIjpudWxsLCJoaW50cyI6W10sInF1ZXJ5Ijp7ImJhY2tlbmQiOiJYU1MiLCJ0ZW1wbGF0ZSI6IlxuPGRpdiB2YWx1ZT1cIiRwYXlsb2FkXCI+XG48ZGl2IHZhbHVlPSckcGF5bG9hZCc+XG5cbjxwIGlkPVwiZG9tXCI+Li4uPC9wPlxuPHNjcmlwdD5cbi8qJHBheWxvYWQqL1xueCA9IFwiJHBheWxvYWRcIjtcbnkgPSAnJHBheWxvYWQnO1xuXG4vL0RPTSBYU1MgUE9DOlxuZG9jdW1lbnQuZ2V0RWxlbWVudEJ5SWQoJ2RvbScpLmlubmVySFRNTD0gYCRwYXlsb2FkYFxuXG4vLyRwYXlsb2FkXG48L3NjcmlwdD4tLT5cbiIsImZpbHRlcnMiOnsiJHBheWxvYWQiOlt7ImZ1bmMiOiJVUkwgZGVjb2RlIiwiYXJncyI6W119XX19fQ==\n--\u003e\n\n\u003cdiv align=\"center\"\u003e\n \u003ch1\u003e\u003cimg src=\"./img/ywhlogo.png\" alt=\"YWH Logo\" width=\"24\" height=\"auto\"\u003e Vulnerable Code Snippets\u003c/h1\u003e\n \u003cimg src=\"./img/VsnippetBanner.gif\" alt=\"Vulnerable code snippet (Vsnippet) banner YesWeHack Github repository\" \u003e\n\u003c/div\u003e\n\n\n\u003cp align=\"center\"\u003e\n \u003ca href=\"#vulnerabilities\"\u003eVulnerabilities\u003c/a\u003e |\n \u003ca href=\"#programming-languages\"\u003eProgramming languages\u003c/a\u003e |\n \u003ca href=\"#run-a-vulnerable-code-snippet\"\u003eRun a vulnerable code snippet\u003c/a\u003e |\n \u003ca href=\"#installation\"\u003eInstallation\u003c/a\u003e |\n \u003ca href=\"#update\"\u003eUpdate\u003c/a\u003e\n\u003c/p\u003e\n\n\n[YesWeHack](https://www.yeswehack.com/) present code snippets containing several different vulnerabilities to practice your code analysis in a safe dockerized envoriment. The vulnerable code snippets are suitable for all skill levels.\n\n~ New **vulnerable code snippet** at Twitter [@yeswehack](https://twitter.com/yeswehack) **every Friday**! šŸ—’\n\u003e If you want to see something special or if you just have an idea about a vulnerable code snippet, feel free to create a \"[New Issue](https://github.com/yeswehack/vulnerable-code-snippets/issues)\" where you explain your idea, **no idea is stupid**.\n\n---\n\nāš ļø **Be aware**\n\u003e Be sure to run this in a secure environment, as the code is vulnerable and is intended to be used for learning code analysis!\nBy default, all vulnerable code snippets contain a docker setup that isolates the code from your host system and make it safe to run (*read more in the section : \"Run a vulnerable code snippet\"*).\n\n## Twitter (X) posts\nA Collection of all vulnerable code snippets posted on our Twitter šŸ“‚ \n\n| ID | Vulnerability | Description |\n|---|---|---|\nšŸ“œ[#1](https://twitter.com/yeswehack/status/1570757831468679169) | **SQLi \u0026 XSS** | Backslash filter collide \nšŸ“œ[#2](https://twitter.com/yeswehack/status/1573303741310271490) | **Improper file access \u0026 XSS** | Invalid char and regex verificaion \nšŸ“œ[#3](https://twitter.com/yeswehack/status/1575839882269818881) | **Log Forging injection, Path traversal \u0026 Code injection** | Poor filter and improper `include()` handling \nšŸ“œ[#4](https://twitter.com/yeswehack/status/1578370258230194177) | **XSS** | Invalid user input filter \nšŸ“œ[#5](https://twitter.com/yeswehack/status/1580911299382296576) | **SSRF \u0026 Broken authorization** | Trusted user input and client IP from header \nšŸ“œ[#6](https://twitter.com/yeswehack/status/1583445497687130114) | **SSTI** | Mixed input format \nšŸ“œ[#7](https://twitter.com/yeswehack/status/1585979707522134017) | **SQLi** | Use of invalid variable within statement \nšŸ“œ[#8](https://twitter.com/yeswehack/status/1588531516665171969) | **CSRF** | No CSRF token included \nšŸ“œ[#9](https://twitter.com/yeswehack/status/1591068243439009798) | **Open Redirect** | Invalid regex handler \nšŸ“œ[#10](https://twitter.com/yeswehack/status/1593604941897236485) | **DOM XSS** | Backend filter collide with client side JavaScript \nšŸ“œ[#11](https://twitter.com/yeswehack/status/1596141663075926017) | **CORS** | Misconfigured `Access-Control-Allow` header \nšŸ“œ[#12](https://twitter.com/yeswehack/status/1598678380072902660) | **CSRF/ClickJacking** | GET request CSRF with insecure delete process / ClickJacking - `X-Frame-Options` set in HTML meta tag \nšŸ“œ[#13](https://twitter.com/yeswehack/status/1601230194035105797) | **Path Traversal/Unrestricted File Upload** | Poor Path Traversal and file upload protection results in a code injection \nšŸ“œ[#14](https://twitter.com/yeswehack/status/1603751408678969347) | **DOS** | Incorrect operator handler in \"for loop\" \nšŸ“œ[#15](https://twitter.com/yeswehack/status/1606288516744347648) | **Weak Password Recovery Mechanism for Forgotten Password** | Weak hash for password recovery \nšŸ“œ[#16](https://twitter.com/yeswehack/status/1608822361419321350) | **IDOR** | insecure if statement leads to improper access control \nšŸ“œ[#17](https://twitter.com/yeswehack/status/1611361951644368898) | **Insecure deserialization** | Execute trusted user input inside pickle function `loads()` \nšŸ“œ[#18](https://twitter.com/yeswehack/status/1614985966178996225) | **Path Traversal** | Improper user validation of filename \nšŸ“œ[#19](https://twitter.com/yeswehack/status/1616435388507201536) | **Open Redirect** | Invalid handling of user-controlled input \"*location.hash*\" \nšŸ“œ[#20](https://twitter.com/yeswehack/status/1618972101943107584) | **SQL injection** | Invalid use of function `replace()`, The char is only replaced once \nšŸ“œ[#21](https://twitter.com/yeswehack/status/1621508813177212930) | **PostMessage DOM XSS** | No origin validation, leading to PostMessage DOM XSS \nšŸ“œ[#22](https://twitter.com/yeswehack/status/1626582253215318016) | **XSS/OpenRedirect** | The filter protection does not filter all special characters that can be used to exploit the vulnerabilities \nšŸ“œ[#23](https://twitter.com/yeswehack/status/1631655669244784640) | **Buffer overflow** | Take user's STDIN input with the `gets()` function without checking the buffer size \nšŸ“œ[#24](https://twitter.com/yeswehack/status/1636725322447220739) | **SQL injection** | Incorrect use of the PHP function `addslashes()` \nšŸ“œ[#25](https://twitter.com/yeswehack/status/1639253229203599361) | **XSS - CSP bypass** | No validation of user input along with insecure handling of nonce \nšŸ“œ[#26](https://twitter.com/yeswehack/status/1641776354315190272) | **Path Traversal** | The filter provided by the PHP function \"preg_replace()\" is limited to filtering only the first 10 characters \nšŸ“œ[#27](https://twitter.com/yeswehack/status/1646854408196456448) | **Web Cache Poisoning** | The HTTP header `Referer` is reflected in the cached response body without being filtered \nšŸ“œ[#28](https://twitter.com/yeswehack/status/1649394393374248963) | **Business logic vulnerability** | An attacker can withdraw negative amounts to increase the overall balance of their account \nšŸ“œ[#29](https://twitter.com/yeswehack/status/1651933932198285314) | **IDOR** | An attacker can gain access to sensitive data from other users by performing a *Forced browsing* attack \nšŸ“œ[#30](https://twitter.com/yeswehack/status/1654465424560365568) | **Insecure deserialization** | Use of a dangerous function (`exec`) that can be controlled by the user, resulting in an RCE \nšŸ“œ[#31](https://twitter.com/yeswehack/status/1659568814609117185) | **LFI** | No proper character escaping or filter verification. The `include()` function executes all PHP code in the given file, no matter the file extension, resulting in code injection \nšŸ“œ[#32](https://twitter.com/yeswehack/status/1669693673846591488) | **Format injection!** | Format a string containing values provided by the client, resulting in a format injection \nšŸ“œ[#33](https://twitter.com/yeswehack/status/1678378536015372288) | **SQL injection (second order)** | All SQL queries use prepared statements except the last one. This statement extracts a value from the database that was once controlled by the user and adds it to the SQL query, leading to an SQL injection (second order) \nšŸ“œ[#34](https://twitter.com/yeswehack/status/1680877622685843456) | **Regular expression Denial of Service (ReDoS)** | Poorly configured regex pattern used to filter user-controlled input \nšŸ“œ[#35](https://twitter.com/yeswehack/status/1691057079996350464) | **XSS** | Trusted user input in GET parameter \nšŸ“œ[#36](https://twitter.com/yeswehack/status/1696130513038418312) | **Unrestricted File Upload** | Insufficient validation of the file extension of the uploaded file and missed validation of the file content \nšŸ“œ[#37](https://twitter.com/yeswehack/status/1705190707768479828) | **SSRF** | Insecure handling of the proxy header `X-Forwarded-Host` and cURL leading to a full SSRF \nšŸ“œ[#38](https://twitter.com/yeswehack/status/1709124683377885530) | **Code injection** | The user can write customised content to a selected file which is then launched on the vulnerable system \nšŸ“œ[#39](https://twitter.com/yeswehack/status/1717202895701954626) | **LFI** | Exploitation of an LFI make it possible to run the tool *pearcmd* resulting in a remote code execution \nšŸ“œ[#40](https://twitter.com/yeswehack/status/1745074482522243552) | **Unrestricted File Upload** | The `php3` extension can be used to execute php code due to the configuration in the Apache proxy. \nšŸ“œ[#41](https://twitter.com/yeswehack) | **Command injection** | Invalid usage of escapeshellcmd lead to a command injection vulnerability \nšŸ“œ[#42](https://x.com/yeswehack/status/1801619463097274624) | **Command injection** | No validation of user input is performed, leading to a command injection vulnerability \nšŸ“œ[#43](https://x.com/yeswehack/status/1775179767412593021) | **SSTI** | Improper usage of templte engine leading to a SSTI which result in an RCE \n\n\n## Vulnerabilities\n- [Broken access control](https://owasp.org/www-community/Broken_Access_Control) - CWE-284\n- [Code injection](https://owasp.org/www-community/attacks/Code_Injection) - CWE-94\n- [Cross Site Request Forgery (CSRF)](https://owasp.org/www-community/attacks/csrf) - CWE-352\n- [SQL injection (SQLi)](https://owasp.org/www-community/attacks/SQL_Injection) - CWE-89\n- [Cross Site Scripting (XSS)](https://owasp.org/www-community/attacks/xss/) - CWE-79\n- [Open Redirect](https://cheatsheetseries.owasp.org/cheatsheets/Unvalidated_Redirects_and_Forwards_Cheat_Sheet.html) - CWE-601\n- [Server-side template injection (SSTI)](https://owasp.org/www-project-web-security-testing-guide/v41/4-Web_Application_Security_Testing/07-Input_Validation_Testing/18-Testing_for_Server_Side_Template_Injection) - CWE-1336\n- [Server Side Request Forgery (SSRF)](https://owasp.org/www-community/attacks/Server_Side_Request_Forgery) - CWE-918\n- [Cross Origin Resource Sharing (CORS)](https://owasp.org/www-community/attacks/CORS_OriginHeaderScrutiny) - CWE-942\n- [Clickjacking](https://owasp.org/www-community/attacks/Clickjacking) - CWE-1021\n- [Unrestricted File Upload](https://owasp.org/www-community/vulnerabilities/Unrestricted_File_Upload) - CWE-434\n- [Path Traversal](https://owasp.org/www-community/attacks/Path_Traversal) - CWE-35\n- [Denial Of Service](https://owasp.org/www-community/attacks/Denial_of_Service) - CWE-400\n- [Weak Password Recovery Mechanism for Forgotten Password](https://cwe.mitre.org/data/definitions/640.html) - CWE-640\n- [Insecure Direct Object Reference (IDOR)](https://cwe.mitre.org/data/definitions/639.html) - CWE-639\n- [Deserialization Of Untrusted Data](https://owasp.org/www-community/vulnerabilities/Deserialization_of_untrusted_data) - CWE-502\n- [Local File Inclusion](https://cwe.mitre.org/data/definitions/98.html) - CWE-98\n- [Buffer Overflow](https://cwe.mitre.org/data/definitions/120.html) - CWE-120\n- [Acceptance of Extraneous Untrusted Data With Trusted Data (\"Cache Poisoning\")](https://cwe.mitre.org/data/definitions/349.html) - CWE-349\n- [Business Logic Errors](https://cwe.mitre.org/data/definitions/840.html) - CWE-840\n- [Format injection](https://cwe.mitre.org/data/definitions/134.html) - CWE-134\n- [Command injection](https://cwe.mitre.org/data/definitions/77) - CWE-77\n\n\n\n## Programming languages\n- [PHP](https://www.php.net/)\n- [Python](https://www.python.org/)\n- [Golang](https://go.dev/)\n- [Java](https://www.java.com/)\n- [JavaScript](https://www.javascript.com/)\n- [C](https://en.wikipedia.org/wiki/C_(programming_language))\n\n__Also included__\n- SQL ([MySQL](https://www.mysql.com/))\n- HTML\n- CSS\n\n---\n\n## Run a vulnerable code snippet\nIn each vulnerable code snippet (Vsnippet) folder there is a `docker-compose.yml` file. To start a Vsnippet in an isolated docker environment simply run the following command:\n```\ndocker compose up --build\n```\nor\n```\ndocker-compose up --build\n```\n\n## Installation\n\n```bash\ngit clone https://github.com/yeswehack/vulnerable-code-snippets.git\n```\n\n## Update\nTo get the latest vulnerable code snippets, run:\n```bash\ngit pull\n```\n\n ~ **H4v3 y0u f0und th3 E4st3r 3gg y3t?** šŸ‡šŸŖŗ\n\nFor questions, help or if you have discovered a problem with the code. Contact us on Twitter: [@yeswehack](https://twitter.com/yeswehack) šŸ“¬\n","funding_links":[],"categories":["PHP"],"sub_categories":[],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fyeswehack%2Fvulnerable-code-snippets","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fyeswehack%2Fvulnerable-code-snippets","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fyeswehack%2Fvulnerable-code-snippets/lists"}