Vulnerabilities | Programming languages | Run a vulnerable code snippet | Installation | Update
YesWeHack present code snippets containing several different vulnerabilities to practice your code analysis in a safe dockerized envoriment. The vulnerable code snippets are suitable for all skill levels.
~ New vulnerable code snippet at Twitter @yeswehack every Friday! π
If you want to see something special or if you just have an idea about a vulnerable code snippet, feel free to create a "New Issue" where you explain your idea, no idea is stupid.
Be sure to run this in a secure environment, as the code is vulnerable and is intended to be used for learning code analysis! By default, all vulnerable code snippets contain a docker setup that isolates the code from your host system and make it safe to run (read more in the section : "Run a vulnerable code snippet").
A Collection of all vulnerable code snippets posted on our Twitter π
| ID | Vulnerability | Description |
|---|---|---|
| π#1 | SQLi & XSS | Backslash filter collide |
| π#2 | Improper file access & XSS | Invalid char and regex verificaion |
| π#3 | Log Forging injection, Path traversal & Code injection | Poor filter and improper include() handling |
| π#4 | XSS | Invalid user input filter |
| π#5 | SSRF & Broken authorization | Trusted user input and client IP from header |
| π#6 | SSTI | Mixed input format |
| π#7 | SQLi | Use of invalid variable within statement |
| π#8 | CSRF | No CSRF token included |
| π#9 | Open Redirect | Invalid regex handler |
| π#10 | DOM XSS | Backend filter collide with client side JavaScript |
| π#11 | CORS | Misconfigured Access-Control-Allow header |
| π#12 | CSRF/ClickJacking | GET request CSRF with insecure delete process / ClickJacking - X-Frame-Options set in HTML meta tag |
| π#13 | Path Traversal/Unrestricted File Upload | Poor Path Traversal and file upload protection results in a code injection |
| π#14 | DOS | Incorrect operator handler in "for loop" |
| π#15 | Weak Password Recovery Mechanism for Forgotten Password | Weak hash for password recovery |
| π#16 | IDOR | insecure if statement leads to improper access control |
| π#17 | Insecure deserialization | Execute trusted user input inside pickle function loads() |
| π#18 | Path Traversal | Improper user validation of filename |
| π#19 | Open Redirect | Invalid handling of user-controlled input "location.hash" |
| π#20 | SQL injection | Invalid use of function replace(), The char is only replaced once |
| π#21 | PostMessage DOM XSS | No origin validation, leading to PostMessage DOM XSS |
| π#22 | XSS/OpenRedirect | The filter protection does not filter all special characters that can be used to exploit the vulnerabilities |
| π#23 | Buffer overflow | Take user's STDIN input with the gets() function without checking the buffer size |
| π#24 | SQL injection | Incorrect use of the PHP function addslashes() |
| π#25 | XSS - CSP bypass | No validation of user input along with insecure handling of nonce |
| π#26 | Path Traversal | The filter provided by the PHP function "preg_replace()" is limited to filtering only the first 10 characters |
| π#27 | Web Cache Poisoning | The HTTP header Referer is reflected in the cached response body without being filtered |
| π#28 | Business logic vulnerability | An attacker can withdraw negative amounts to increase the overall balance of their account |
| π#29 | IDOR | An attacker can gain access to sensitive data from other users by performing a Forced browsing attack |
| π#30 | Insecure deserialization | Use of a dangerous function (exec) that can be controlled by the user, resulting in an RCE |
| π#31 | LFI | No proper character escaping or filter verification. The include() function executes all PHP code in the given file, no matter the file extension, resulting in code injection |
| π#32 | Format injection! | Format a string containing values provided by the client, resulting in a format injection |
| π#33 | SQL injection (second order) | All SQL queries use prepared statements except the last one. This statement extracts a value from the database that was once controlled by the user and adds it to the SQL query, leading to an SQL injection (second order) |
| π#34 | Regular expression Denial of Service (ReDoS) | Poorly configured regex pattern used to filter user-controlled input |
| π#35 | XSS | Trusted user input in GET parameter |
| π#36 | Unrestricted File Upload | Insufficient validation of the file extension of the uploaded file and missed validation of the file content |
| π#37 | SSRF | Insecure handling of the proxy header X-Forwarded-Host and cURL leading to a full SSRF |
| π#38 | Code injection | The user can write customised content to a selected file which is then launched on the vulnerable system |
| π#39 | LFI | Exploitation of an LFI make it possible to run the tool pearcmd resulting in a remote code execution |
| π#40 | Unrestricted File Upload | The php3 extension can be used to execute php code due to the configuration in the Apache proxy. |
| π#41 | Command injection | Invalid usage of escapeshellcmd lead to a command injection vulnerability |
| π#42 | Command injection | No validation of user input is performed, leading to a command injection vulnerability |
| π#43 | SSTI | Improper usage of templte engine leading to a SSTI which result in an RCE |
- Broken access control - CWE-284
- Code injection - CWE-94
- Cross Site Request Forgery (CSRF) - CWE-352
- SQL injection (SQLi) - CWE-89
- Cross Site Scripting (XSS) - CWE-79
- Open Redirect - CWE-601
- Server-side template injection (SSTI) - CWE-1336
- Server Side Request Forgery (SSRF) - CWE-918
- Cross Origin Resource Sharing (CORS) - CWE-942
- Clickjacking - CWE-1021
- Unrestricted File Upload - CWE-434
- Path Traversal - CWE-35
- Denial Of Service - CWE-400
- Weak Password Recovery Mechanism for Forgotten Password - CWE-640
- Insecure Direct Object Reference (IDOR) - CWE-639
- Deserialization Of Untrusted Data - CWE-502
- Local File Inclusion - CWE-98
- Buffer Overflow - CWE-120
- Acceptance of Extraneous Untrusted Data With Trusted Data ("Cache Poisoning") - CWE-349
- Business Logic Errors - CWE-840
- Format injection - CWE-134
- Command injection - CWE-77
Also included
- SQL (MySQL)
- HTML
- CSS
In each vulnerable code snippet (Vsnippet) folder there is a docker-compose.yml file. To start a Vsnippet in an isolated docker environment simply run the following command:
docker compose up --build
or
docker-compose up --build
git clone https://github.com/yeswehack/vulnerable-code-snippets.gitTo get the latest vulnerable code snippets, run:
git pull~ H4v3 y0u f0und th3 E4st3r 3gg y3t? ππͺΊ
For questions, help or if you have discovered a problem with the code. Contact us on Twitter: @yeswehack π¬