https://github.com/rubennati/vulnerable-php-code-examples
Deliberately vulnerable PHP code examples for testing static analysis tools and security training, covering common vulnerabilities such as SQL Injection, XSS, CSRF, and more.
https://github.com/rubennati/vulnerable-php-code-examples
owasp php security static-analysis vulnerable
Last synced: 18 days ago
JSON representation
Deliberately vulnerable PHP code examples for testing static analysis tools and security training, covering common vulnerabilities such as SQL Injection, XSS, CSRF, and more.
- Host: GitHub
- URL: https://github.com/rubennati/vulnerable-php-code-examples
- Owner: rubennati
- License: mit
- Created: 2019-06-29T22:29:20.000Z (almost 7 years ago)
- Default Branch: master
- Last Pushed: 2026-04-27T00:35:56.000Z (about 2 months ago)
- Last Synced: 2026-04-27T02:28:30.936Z (about 2 months ago)
- Topics: owasp, php, security, static-analysis, vulnerable
- Language: PHP
- Homepage:
- Size: 330 KB
- Stars: 12
- Watchers: 0
- Forks: 36
- Open Issues: 0
-
Metadata Files:
- Readme: README.md
- License: LICENSE
Awesome Lists containing this project
README
# PHP Vulnerability Examples for Static Analysis
A collection of deliberately vulnerable PHP code examples for use with static analysis tools (SATs), security training, and research.
Originally created as part of a Master's program project in IT-Security at the University of Applied Sciences Vienna (FH Technikum Wien).
## Vulnerabilities Covered
| File | Vulnerability |
|------|--------------|
| `src/sql-injection.php` | SQL Injection (PDO, SQLite) |
| `src/sql-injection_2.php` | SQL Injection (PDO, SQLite) |
| `src/cross-site-scripting-xss.php` | Cross-Site Scripting (XSS) |
| `src/basic-collection.php` | XSS, SQL Injection, Command Injection, Deprecated Functions |
| `src/path-traversal.php` | Path Traversal / Local File Inclusion |
| `src/csrf.php` | Cross-Site Request Forgery (CSRF) |
| `src/insecure-file-upload.php` | Insecure File Upload |
| `src/idor.php` | Insecure Direct Object Reference (IDOR) |
| `src/open-redirect.php` | Open Redirect |
| `src/sensitive-data-exposure.php` | Sensitive Data Exposure (Hardcoded Credentials) |
| `src/remote-file-inclusion.php` | Remote File Inclusion (RFI) |
| `src/insecure-deserialization.php` | Insecure Deserialization |
| `src/xxe.php` | XML External Entity (XXE) |
| `src/ldap-injection.php` | LDAP Injection |
| `src/security-misconfiguration.php` | Security Misconfiguration |
| `src/weak-cryptography.php` | Weak Cryptography |
| `src/session-fixation.php` | Session Fixation |
| `src/type-juggling.php` | Type Juggling — Loose Comparison |
| `src/type-juggling_2.php` | Type Juggling — Type Casting |
### Tool-specific Test Files
Files under `src/tool-examples/` contain test code tailored to specific SATs:
| File | Tool |
|------|------|
| `src/tool-examples/progpilot.php` | [Progpilot](https://github.com/designsecurity/progpilot) |
| `src/tool-examples/phpcs-security-audit.php` | [phpcs-security-audit](https://github.com/FloeDesignTechnologies/phpcs-security-audit) |
| `src/tool-examples/php-security-scanner.php` | [php-security-scanner](https://github.com/dustyfresh/PHP-vulnerability-audit-cheatsheet) |
## Usage
```bash
git clone https://github.com/rubennati/vulnerable-php-code-examples.git
```
Run any PHP SAT against the files in `src/`. The SQLite database in `database/` is used by the SQL injection examples.
## Related
Based on research comparing open-source PHP static analysis tools and their effectiveness when combined into a toolchain. The evaluated SATs include Progpilot, phpcs-security-audit, php-security-scanner, OWASP WAP, SonarPHP, RIPS, and others.
**Related projects (FH Technikum Wien, PRJ1/PRJ2):**
- [vulnerability-code-scanner](https://gitlab.com/FHTW-MCS-PRJ/vulnerability-code-scanner) — Laravel-based toolchain combining the three selected SATs
- [PHP-Vulnerability-test-suite](https://gitlab.com/FHTW-MCS-PRJ/PHP-Vulnerability-test-suite) — 42,212 PHP test cases (29,258 safe / 12,954 unsafe)
## Warning
This repository contains intentionally insecure code. Do not deploy or use in production environments.