Vulnerable SPA is an intentionally vulnerable Single Page Application (SPA) built with React and Spring Boot.

The project is designed as an open benchmark platform for evaluating and comparing modern Application Security and DevSecOps tools, including:

• SAST (Static Application Security Testing)
• DAST (Dynamic Application Security Testing)
• SCA (Software Composition Analysis)
• Container Security
• Secret Scanning
• AI-Assisted Security Review

The application contains intentionally introduced security weaknesses based on common OWASP Top 10 categories and provides a realistic environment for security testing, secure coding exercises, and DevSecOps pipeline validation.

• Demonstrate common web application vulnerabilities
• Provide a reproducible benchmark for security tools
• Support AppSec and DevSecOps training
• Validate CI/CD security pipelines
• Evaluate AI-powered security analysis solutions
• Practice secure coding and remediation techniques

• React
• JavaScript
• React Router

• Java 21
• Spring Boot 3
• Spring Security
• Maven

• H2 Database

• Semgrep
• SonarQube
• Trivy
• Docker Scout
• Gitleaks
• OWASP ZAP

vulnerable-spa/
├── backend/
│   ├── src/main/java/
│   │   └── com/example/vulnerablespa/
│   │       ├── config/
│   │       ├── controller/
│   │       ├── dto/
│   │       ├── model/
│   │       ├── repository/
│   │       └── security/
│   └── src/main/resources/
│       ├── db/migration/
│       ├── static/
│       └── application.properties
│
├── frontend/
│   ├── public/
│   └── src/
│       ├── components/
│       ├── pages/
│       └── utils/
│
├── .github/
│   └── workflows/
│
├── docs/
│
├── Dockerfile
├── pom.xml
└── README.md

• Build Architecture: docs/Maven-build.md
• Vulnerability Documentation: docs/
• Security Pipelines: .github/workflows/

• Java 21+
• Maven 3.9+
• Node.js 20+
• Docker

git clone https://github.com/kremlsa/vuln-spa.git

cd vuln-spa

docker build -t vuln-spa .

docker run \
  -e WAF_LEVEL=ADVANCED \
  -p 8080:8080 \
  vuln-spa

Available WAF modes:

NONE
BASIC
ADVANCED

Application URL:

http://localhost:8080

Build frontend:

cd frontend
npm install
npm run build

Build backend:

mvn clean install

Run application:

mvn spring-boot:run

• Authentication and session management
• User and administrator roles
• Notes CRUD operations
• Search functionality
• Cookie-based sessions
• Demonstration WAF
• REST API endpoints
• Security testing scenarios

Default credentials:

admin / admin
user / user

The project currently contains intentionally vulnerable implementations for educational and benchmarking purposes.

Documentation:

• XSS: docs/XSS.md
• Broken Authentication: docs/Broken-Authentication.md
• SQL Injection: docs/SQL-Injection.md

The repository includes security pipelines for:

• Gitleaks

• Semgrep
• SonarQube

• Trivy

• Trivy Container Scan
• Docker Scout

• OWASP ZAP

Learn common web application vulnerabilities and remediation techniques.

Compare:

• Semgrep
• SonarQube
• CodeQL
• OWASP ZAP
• Trivy
• Docker Scout
• AI Security Agents

Test security gates and DevSecOps workflows before production adoption.

Evaluate AI-assisted vulnerability detection and security review capabilities.

This application intentionally contains security vulnerabilities.

DO NOT deploy it to production environments.

The project is intended solely for:

• Security education
• Tool benchmarking
• Research
• Training labs

Contributions are welcome.

Possible contribution areas:

• New vulnerability scenarios
• Additional benchmark cases
• Security tooling integrations
• Documentation improvements
• CI/CD enhancements

Please see CONTRIBUTING.md for details.

Licensed under the Apache License 2.0.

See LICENSE for details.

Alexander Kremlev

GitHub: https://github.com/kremlsa