This application has a number of security vulnerabilities deliberately built into it.
The purpose of this application is to verify that static analysis security tools find the vulnerabilities
You can find the issues by looking for the string #Oops
, which will appear in a comment near each issue.
This application only binds to localhost so other hosts on the network cannot call the vulnerable services.
The HashIt controller uses insecure random, and always produces the same sequence.
http://localhost:8080/hashit?value=foo
The first call to this will always produce an ID of: -723955400
The HashIt controller passes arbitrary input to the execution shell.
http://localhost:8080/hashit?value=meow;cat%20/etc/passwd;echo
The HashIt controller allows arbitrary input to be injected into SQL queries in both the hashit
and gethash
calls.
http://localhost:8080/gethash?id=-723955400' or '1'='1
The gethash
call renders user input in an HTML response.
The following injects some Javascript in the database:
http://localhost:8080/hashit?value="<script>alert(1)</script>"
The following renders it in the HTML page:
http://localhost:8080/gethash?id=-723955400' or '1'='1
The Proxy controller forwards HTTP requests to arbitrary hosts, ignoring SSL warnings.
The following URL displays the content from a URL with an invalid SSL configuration. http://localhost:8080/proxy?url=https://self-signed.badssl.com/