Ecosyste.ms: Awesome
An open API service indexing awesome lists of open source software.
https://github.com/tkisason/vulnapi
Intentionaly very vulnerable API with bonus bad coding practices
https://github.com/tkisason/vulnapi
Last synced: 26 days ago
JSON representation
Intentionaly very vulnerable API with bonus bad coding practices
- Host: GitHub
- URL: https://github.com/tkisason/vulnapi
- Owner: tkisason
- Created: 2019-12-29T19:14:48.000Z (almost 5 years ago)
- Default Branch: master
- Last Pushed: 2024-01-31T20:35:32.000Z (11 months ago)
- Last Synced: 2024-08-03T16:08:26.933Z (4 months ago)
- Language: Python
- Size: 20.5 KB
- Stars: 35
- Watchers: 5
- Forks: 21
- Open Issues: 2
-
Metadata Files:
- Readme: README.md
- Security: SECURITY.md
Awesome Lists containing this project
- awesome-api-security - vulnapi
README
# vulnapi
Intentionaly very vulnerable API with bonus extremely bad coding practices
*NOTE: This is by design a vulnerable application. It's primary use is to demonstrate bad coding practices (in python3) and in operations (docker, etc) and to show off specific vulnerabilities that are not well presented in some other projects. Another use if to have an application that can be used as a demo for various devsecops methods*
*DO NOT USE _ANY_ PIECE OF THIS CODE IN PRODUCTION! Really.*
*This code is vulnerable to remote code execution, don't leave it in the open*
Current implemented vulns:
* Couple of cases of data exposure (by triggering logic issues)
* Mass assignment vulnerabilities
* Broken object level autorization
* Broken authentication
* RCE via deserialization
* SQL injection
* File inclusion / path traversal
* Server Side Template Injection
Usage:
* docker build --tag vulnapi .
* docker run -it --rm -p8000:8000 vulnapi
* open http://IP_OF_HOST:8000/docs in a webbrowser.
Pull requests, especially for cool, subtle bugs or bad practices are welcome. At least FastAPI makes it easy to implement examples.