Intentionaly very vulnerable API with bonus extremely bad coding practices
NOTE: This is by design a vulnerable application. It's primary use is to demonstrate bad coding practices (in python3) and in operations (docker, etc) and to show off specific vulnerabilities that are not well presented in some other projects. Another use if to have an application that can be used as a demo for various devsecops methods
DO NOT USE ANY PIECE OF THIS CODE IN PRODUCTION! Really. This code is vulnerable to remote code execution, don't leave it in the open
Current implemented vulns:
- Couple of cases of data exposure (by triggering logic issues)
- Mass assignment vulnerabilities
- Broken object level autorization
- Broken authentication
- RCE via deserialization
- SQL injection
- File inclusion / path traversal
- Server Side Template Injection
Usage:
- docker build --tag vulnapi .
- docker run -it --rm -p8000:8000 vulnapi
- open http://IP_OF_HOST:8000/docs in a webbrowser.
Pull requests, especially for cool, subtle bugs or bad practices are welcome. At least FastAPI makes it easy to implement examples.