VulnerableApp v1.10 releases: OWASP VulnerableApp Project

OWASP VulnerableApp

As Web Applications are becoming popular these days, there comes a dire need to secure them. Although there are several Vulnerability Scanning Tools, however, while developing these tools, developers need to test them. Moreover, they also need to know how well is the Vulnerability Scanning tool performing. As of now, there are few or no such vulnerable applications existing for testing such tools. There are Deliberately Vulnerable Applications existing in the market but they are not written with such intent and hence lag extensibility, e.g. adding new vulnerabilities is quite difficult. Hence, the developers resort to writing their own vulnerable applications, which usually causes productivity loss and the pain to rework.

OWASP VulnerableApp is built keeping these factors in mind. This project is scalable, extensible, easier to integrate and easier to learn. As solving the above issue requires the addition of various vulnerabilities, hence it becomes a very good platform to learn various security vulnerabilities.

Future Goal

Going further, this application might become a database for vulnerabilities. Hence, in the future, it can be used for hosting CTFs and can also become a compliance/benchmark for Vulnerability Scanning tools.

Currently handled Vulnerability types

1. JWT Vulnerability
2. Command Injection
3. File Upload Vulnerability
4. Path Traversal Vulnerability
5. SQL Injection
   1. Error Based SQLi
   2. Union Based SQLi
   3. Blind SQLi
6. XSS
   1. Persistent XSS
   2. Reflected XSS
7. XXE
8. Open Redirect
   1. Http 3xx Status code based

Changelog v1.10

This release includes:

1. Onboarding to new User Interface for Owasp VulnerableApp-Facade
2. Addition of Content-Disposition based File Upload attack
3. Introduction to ‘Secure’ and ‘Unsecure’ marker for vulnerability levels
4. Introduction to a better descriptive payload for SQL Injections
5. Removed sample values from Annotation
6. Addition of expected_issues.csv file which contains the vulnerabilities presents in VulnerableApp and is used by SAST tools to evaluate themselves.

Install

Copyright (C) 2019 SasanLabs