tkisason / vulnapi

Intentionaly very vulnerable API with bonus bad coding practices

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

vulnapi

Intentionaly very vulnerable API with bonus extremely bad coding practices

NOTE: This is by design a vulnerable application. It's primary use is to demonstrate bad coding practices (in python3) and in operations (docker, etc) and to show off specific vulnerabilities that are not well presented in some other projects. Another use if to have an application that can be used as a demo for various devsecops methods

DO NOT USE ANY PIECE OF THIS CODE IN PRODUCTION! Really. This code is vulnerable to remote code execution, don't leave it in the open

Current implemented vulns:

  • Couple of cases of data exposure (by triggering logic issues)
  • Mass assignment vulnerabilities
  • Broken object level autorization
  • Broken authentication
  • RCE via deserialization
  • SQL injection
  • File inclusion / path traversal
  • Server Side Template Injection

Usage:

  • docker build --tag vulnapi .
  • docker run -it --rm -p8000:8000 vulnapi
  • open http://IP_OF_HOST:8000/docs in a webbrowser.

Pull requests, especially for cool, subtle bugs or bad practices are welcome. At least FastAPI makes it easy to implement examples.

About

Intentionaly very vulnerable API with bonus bad coding practices


Languages

Language:Python 94.6%Language:Dockerfile 4.6%Language:Shell 0.9%