MCPcopy Index your code
hub / github.com/SasanLabs/VulnerableApp

github.com/SasanLabs/VulnerableApp @2.1.4

Chat with this repo
repository ↗ · DeepWiki ↗ · release 2.1.4 ↗ · + Follow
1,378 symbols 4,784 edges 186 files 171 documented · 12%
What it actually does AI analysis from the code graph — generated when you open this
loading…
README

OWASP VulnerableApp OWASP VulnerableApp

OWASP Incubator License Java CI with Gradle PRs Welcome Docker Pulls codecov

Break it. Scan it. Reproduce it. Benchmark against it. Improve it.

OWASP VulnerableApp is a modular deliberately vulnerable application designed primarily for validating and benchmarking security scanners through reproducible test scenarios, while also supporting learning and experimentation.

🔍 What makes it different

Unlike traditional vulnerable applications, VulnerableApp is designed as a testable security ecosystem, not a static training app.

It enables:

  • 🔬 Scanner benchmarking for tools like Burp Suite, OWASP ZAP, and custom DAST engines
  • 🧩 Modular vulnerability design that allows new scenarios without modifying core services
  • 📊 Security regression testing across releases and environments
  • 🎯 Realistic attack surface simulation for modern web application patterns
  • 🧪 Deterministic vulnerability behavior for repeatable scanning results
  • 🧠 Built for security engineers, researchers, and educators

Entire architecture stack

VulnerableApp helps you:

  • Validate how security tools behave across known vulnerability patterns
  • Build controlled environments for security experimentation
  • Extend vulnerability coverage as new attack techniques emerge
  • Run consistent, repeatable security testing pipelines

⚙️ Why it matters

Most vulnerable apps are: - Static - Hard to extend - Designed only for manual learning

VulnerableApp is built for:

automation, reproducibility, and evolution

User Interface

VulnerableApp-facade UI

Running the project

There are 2 ways to run the project: 1. The simplest way to run the project is using Docker containers which will run the full-fleged VulnerableApplication with all the components. For running as Docker application, follow following steps: 1. Download and Install Docker Compose 2. Clone this Github repository 3. Open the terminal and Navigate to the Project root directory 4. Run the command docker-compose pull && docker-compose up 5. Navigate to browser and visit http://localhost and this will give the User Interface for VulnerableApp. 6. Mailpit is also available at http://localhost:8025 for viewing emails captured by the local SMTP server.

**Note**: The above steps will run the latest unreleased VulnerableApp version. If you want to run the latest released version, please use docker **latest** tag.
  1. Another way to run the VulnerableApp is as standalone Vulnerable Application is:
    1. Navigate to Releases Section in github and download the Jar for the latest released version
    2. Open the terminal and navigate to the project root directory
    3. Run the command java -jar VulnerableApp-*
    4. Navigate to browser and visit http://localhost:9090/VulnerableApp. This will give the Legacy User Interface for the VulnerableApp.

Building the project

There are 2 ways in which this project can be built and used: 1. As a Docker application which will help in running the full-fledged VulnerableApplication. For running as Docker application, follow following steps: 1. Build the docker image by running ./gradlew jibDockerBuild 2. Download Docker-Compose and run in the same directory docker-compose up 3. Navigate to browser and visit http://localhost and this will give the User Interface for VulnerableApp. 2. As a SpringBoot application which will run with the Legacy UI or Rest API but gives the benefit of debugging and solving issues. This is the simple way, 1. Import the project into your favorite IDE and run it 2. Navigate to browser and visit: http://localhost:9090/VulnerableApp and this will give the Legacy User Interface for VulnerableApp which you can use to debug and test.

Contributing to Project

There are multiple ways in which you can contribute to the project: 1. If you are a developer and trying to start on to the project, then the suggestion is to go through the list of issues which contains good first issue which can be a good starter. 2. If you are a developer or a security professional looking to add new Vulnerability type then you can Generate the Sample Vulnerability by running ./gradlew GenerateSampleVulnerability. It will generate the Sample Vulnerability template which has placeholders and comments. Modified files can be seen in the logs of the command or in the github history. You can navigate to those files, fill in the placeholders and then build the project to see the effect of the changes. 3. In case you are looking to contribute to the project by publicising it or working on the growth of the project, please feel free to add your thoughts to discussions section or issues and we can discuss over them.

Testing with Modern UI

VulnerableApp-facade provides a modern UI for VulnerableApp. To test your local changes with the Modern UI:

  1. Prerequisite: Ensure you have Docker and Docker-Compose installed.
  2. Run Testing Script:
  3. On Windows: .\scripts\testWithModernUI.bat
  4. On Linux/Mac: ./scripts/testWithModernUI.sh

This script will build your local changes into a Docker image (sasanlabs/owasp-vulnerableapp:unreleased) and start the full stack (including facade, jsp, and php services) using docker-compose.local.yml.

  1. Access the UI: Navigate to http://localhost to see the modern UI with your changes.

  2. Access Mailpit: Navigate to http://localhost:8025 to view emails captured by the local SMTP server.

Technologies used

  • Java17
  • Spring Boot
  • ReactJS
  • Javascript/TypeScript

Connecting to embedded H2 database

For accessing database from browser, visit: http://localhost:9090/VulnerableApp/h2

Database Connection properties:

JDBC Url: jdbc:h2:mem:testdb
User Name: admin
Password: hacker

Currently handled Vulnerability types

  1. JWT Vulnerability
  2. Command Injection
  3. Cryptography Failures
  4. File Upload Vulnerability
  5. Path Traversal Vulnerability
  6. SQL Injection
    1. Error Based SQLi
    2. Union Based SQLi
    3. Blind SQLi
  7. XSS
    1. Persistent XSS
    2. Reflected XSS
  8. XXE
  9. Open Redirect
    1. Http 3xx Status code based
  10. SSRF
  11. IDOR
  12. Clickjacking
  13. LDAP Injection
  14. Authentication Vulnerability

Benchmarking your scanner

VulnerableApp ships a comparator that grades a scanner's findings against the project's built-in ground truth and writes a coverage / missed / unmatched report. Both DAST and SAST scanners are supported via the same endpoint:

  • Endpoint: POST http://<baseurl>/VulnerableApp/scanner/benchmark
  • Request body — pick the shape that matches your scanner:
  • DAST: { tool, scanType: "DAST", findings: [ { url, type, cwe, wascId } ] } (scanType is optional and defaults to DAST; type/cwe/wascId are individually optional — any one axis matching is enough)
  • SAST: { tool, scanType: "SAST", findings: [ { filePath, line, cwe, type } ] }
  • Response body and benchmarks/<tool>-results.json on disk: coverage report

Running the scanner itself is out of scope — you supply the JSON. See benchmarks/README.md for the full input/output schemas, matching rules, canonical vulnerability-type vocabulary, and curl examples.

Contact

In case you are stuck with any of the steps or understanding anything related to project and its goals, feel free to shoot a mail at karan.sasan@owasp.org or raise an issue and we will try our best to help you.

Documentation and References

  1. Documentation
  2. Design Documentation
  3. Owasp VulnerableApp
  4. Overview video for OWASP Spotlight series
  5. Overview Video

Blogs

  1. Overview of Owasp-VulnerableApp - Medium article
  2. Overview of Owasp-VulnerableApp - Blogspot post
  3. Introduction to Owasp VulnerableApp by Kenji Nakajima
  4. Gen AI based platform Shannon exploiting VulnerableApp
  5. I Built the OWASP ZAP File Upload Addon. Here’s Why VulnerableApp-Facade Had to Exist First

Usage of OWASP VulnerableApp

  1. View Global Academic Interest

Troubleshooting references

  1. Reddit exploiting SQL Injection Vulnerability

Readme in other languages

  1. Russian
  2. Chinese
  3. Hindi
  4. Punjabi

Extension points exported contracts — how you extend this code

BenchmarkStrategy (Interface)
Compares a scanner's findings against a specific kind of ground truth (e.g. DAST endpoints, SAST source-level expected i [5 …
src/main/java/org/sasanlabs/benchmark/service/BenchmarkStrategy.java
IEndPointsInformationProvider (Interface)
This is used for providing the entire information about the vulnerableApp like VulnerableEndpoints/Levels. This informat [2 …
src/main/java/org/sasanlabs/service/IEndPointsInformationProvider.java
IJWTTokenGenerator (Interface)
Signs JWT token based on the various algorithms like: 1. HS256 2. RS256 @author KSASAN preetkaran20@gmail.com [2 implementers]
src/main/java/org/sasanlabs/service/vulnerability/jwt/IJWTTokenGenerator.java
IJWTValidator (Interface)
JWTValidator is used for validating jwt token. it will contain various implementations of validating libraries. @author [2 …
src/main/java/org/sasanlabs/service/vulnerability/jwt/IJWTValidator.java
IExpectedIssuesProvider (Interface)
Source of SAST ground truth — the set of known vulnerability sites in VulnerableApp's source tree. Implementations can r [2 …
src/main/java/org/sasanlabs/benchmark/service/IExpectedIssuesProvider.java

Core symbols most depended-on inside this repo

getContent
called by 129
src/main/java/org/sasanlabs/service/vulnerability/xss/persistent/Post.java
toString
called by 79
src/main/java/org/sasanlabs/service/vulnerability/jwt/keys/SymmetricAlgorithmKey.java
getBytes
called by 68
src/main/java/org/sasanlabs/service/vulnerability/jwt/bean/JWTUtils.java
getIsValid
called by 64
src/main/java/org/sasanlabs/service/vulnerability/bean/GenericVulnerabilityResponseBean.java
getUrlForVulnerabilityLevel
called by 45
src/main/resources/static/vulnerableApp.js
getString
called by 43
src/main/java/org/sasanlabs/service/vulnerability/jwt/bean/JWTUtils.java
equals
called by 43
src/main/java/org/sasanlabs/service/vulnerability/jwt/keys/SymmetricAlgorithmKey.java
compare
called by 42
src/main/java/org/sasanlabs/benchmark/service/BenchmarkStrategy.java

Shape

Method 1,078
Function 153
Class 123
Interface 15
Enum 9

Languages

Java89%
TypeScript11%

Modules by API surface

src/test/java/org/sasanlabs/service/vulnerability/jwt/JWTVulnerabilityTest.java45 symbols
src/test/java/org/sasanlabs/service/vulnerability/openRedirect/Http3xxStatusCodeBasedInjectionTest.java39 symbols
src/test/java/org/sasanlabs/service/vulnerability/commandInjection/CommandInjectionTest.java38 symbols
src/test/java/org/sasanlabs/service/vulnerability/pathTraversal/PathTraversalTest.java36 symbols
src/test/java/org/sasanlabs/service/vulnerability/cachePoisoning/CachePoisoningVulnerabilityTest.java31 symbols
src/main/resources/static/vulnerableApp.js31 symbols
src/main/java/org/sasanlabs/service/vulnerability/cachePoisoning/CachePoisoningVulnerability.java28 symbols
src/test/java/org/sasanlabs/benchmark/service/DastBenchmarkStrategyTest.java24 symbols
src/main/java/org/sasanlabs/beans/LevelResponseBean.java22 symbols
src/test/java/org/sasanlabs/service/vulnerability/jwt/impl/JWTValidatorTest.java21 symbols
src/main/java/org/sasanlabs/service/vulnerability/jwt/JWTVulnerability.java18 symbols
src/main/java/org/sasanlabs/service/vulnerability/authentication/AuthUser.java18 symbols

For agents

$ claude mcp add VulnerableApp \
  -- python -m otcore.mcp_server <graph>

⬇ download graph artifact