OWASP VulnerableApp-Facade

Owasp VulnerableApp-facade

OWASP Incubator License PRs Welcome

As we are seeing a lot of technological enhancements in the industry from past few years, these technical enhancements are solving one or the other problem however with that they also bring few different vulnerabilities. VulnerableApps are generally written in one of the techstacks like either Node.js or Java with a SQL or NoSQL database etc and hence they are not able to expand to a whole new set of Vulnerabilities which are present in other technologies. Also adding more vulnerabilities in a single vulnerable application makes it heavier and complex which finally makes it unmaintainable. So VulnerableApp-facade is built to solve this problem by building a distributed farm of Vulnerable Applications such that they can be built agnostic to tech stacks.

High Level Design Details

High Level Design

VulnerableApp-facade is a small component which acts as a webserver and a gateway. It routes the calls to different Vulnerable Applications which are registered with it based on a url pattern. It also exposes a schema/contract (Vulnerability Definition) and if a vulnerable application adhere to that then it will be able to intract and route the traffic to that vulnerable application. It also provides the generic skeleton UI which it builds by reading the provided schema (Vulnerability Definition) from the vulnerable application and then loads the UI specific to vulnerable application inside the skeleton UserInterface.

How to run the project

VulnerableApp-facade is a farm of vulnerable applications where each application runs as a docker container. VulnerableApp-facade has docker-compose.yml file which contains docker configuration of other vulnerable applications along with docker configuration of VulnerableApp-facade.

Simple Start

In order to run entire suit please download the docker-compose.xml and run the following command from terminal: docker-compose up Then naviate to http://localhost:8080 to play with the application

Advanced Start

As docker-compose.xml contains all the applications which adhere to the schema of VulnerableApp-facade so in cause you are looking for specific vulnerable applications like only Java related vulnerable applications then remove other vulnerable applications from docker-compose.xml and then run steps as mentioned in the Simple start step.

How to Contribute to the project

VulnerableApp-facade have majorly 2 components:

  1. Static files
  2. Lua module

Static files are used to load the skeleton UserInterface and Lua module is used to merge the Vulnerability Definitions exposed by different vulnerable applications. So you just need to do the changes in any of the components and then build the docker image using command docker build . -t owasp-vulnerableapp_facade and then run the project as mentioned at How to run the project


Please feel free to reach out to us on our VulnerableApp Slack Channel or send an email to [email protected] for any queries.

OWASP is a fantastic place to learn about application security, to network, and even to build your reputation as an expert. We also encourage you to be become a member or consider a donation to support our ongoing work.

Project’s Github Repository


Put whatever you like here: news, screenshots, features, supporters, or remove this file and don’t use tabs at all.