OWASP VulnerableApp

As Web Applications are becoming very popular these days, there comes the needs to secure them and there are many security vulnerability finding tools but while developing those tools developers need to test them but there are no or very less such extensible vulnerable apps for testing those tools. There are deliberately vulnerable applications exists in the market but they are not written with such an intent and hence lags extensibility e.g. adding new vulnerablities is quite difficult.

So generally developer write there own vulnerable applications but that cause productivity loss and also many times rework is done. This Project VulnerableApp is build keeping these factors in mind so this project is scalable, extensible, easiers to integrate and easier to learn.

Scope

Scope of this project is not just limited to Payload testing for Dynamic Vulnerablilty Scanning tools but with addition of various kind of vulnerabilities, it can become a very good platform to learn various security vulnerabilities and can also be used to host CTF and in future can become a compliance for Dynamic Vulnerability Scanning tools.

Contribution

Everyone is welcome and encouraged to participate in our Project.

Communication

Please feel free to reach out to us on our VulnerableApp Slack Channel

OWASP is a fantastic place to learn about application security, to network, and even to build your reputation as an expert. We also encourage you to be become a member or consider a donation to support our ongoing work.

More Information on Project


Roadmap

Vision for the project:

The overall vision for the project is to implement a Platform capability such that it is easier to write vulnerable code and exposing that through an API and UI.

Usage of the project:

This Project mainly targets 4 type of audience:

  • Developers of Vulnerability Scanning tools
  • New Vulnerability finders (for faster demonstration of the vulnerability)
  • Security enthusiasts, Students who want to learn more about Security
  • CTF organizers (A Platform to Host CTF by choosing vulnerabilities present in the project)

Initial high level plan:

Basic idea for this project is to build an extensible framework which is driven by the configuration and develops who want to introduce new vulnerable code into the project need to do minimal boilerplate code and also the learning curve for configurations is minimum.

Looking at it, the first approach which comes into my mind is to give a framework similar to Spring i.e. something like annotation driven framework for including a vulnerability type and also for adding a new vulnerability to existing vulnerability type and also adding User Interface for the same.

  • Milestone 1: Alpha release - Building extensible backend Platform
  • Milestone 2: Beta release - Building extensible User Interface
  • Milestone 3: Gamma release - Addition of 50 vulnerabilities using the above mentioned Platform
  • Milestone 4: Release 1
  • Milestone 5: Dev lifecycle integration

Current State

For know about the current state please go to Git Repository and also visit issues section for new enhancements,tech-debts and bugs.

Timeframes

This is hard to estimate as this depends on the number of contributers but as of now i had already build some of the pieces of Backend platform and i have started building frontend platform but addition of 50 vulnerabilities can take quite a lot time. So Plan is to release this Project is near July 31 2020.

Technology

Technologies used in this project are:

Majorly:

  1. Java-8
  2. SpringBoot
  3. Vanilla Javascript
  4. Vanilla CSS

But we are not limited to above technologies and can extend to new Horizons. Incase you have any idea on technology and how it can suit us, please reach out to us on our Slack-Channel.

Challenges

There are many, please visit Issues for more information.