sasanlabs / vulnerableapp-php Goto Github PK
View Code? Open in Web Editor NEWVulnerable Application written in PHP
License: Apache License 2.0
Vulnerable Application written in PHP
License: Apache License 2.0
Problem statement
If you look at VulnerableApp-facade which is the User-interface for VulnerableApp-php, it has a way to tell the hints so that users can learn about the Vulnerability.
Solution
So we need to expose that hints objects, have a look at: https://github.com/SasanLabs/VulnerableApp-php/blob/main/src/FileUploadVulnerability/FileUpload.php#L428 for exposing hint metrics. Hints is present in the object definition:
Currently we don't have a continuous deployment pipeline for deploying new docker images on merging the PR. So we should have a github action which publish latest version with each PR merge and a master github action to publish a newer release version.
Sample github action: https://github.com/SasanLabs/VulnerableApp-facade/blob/main/.github/workflows/docker.yml
As VulnerableApp-php is in initial phase and hence we are using VSCode as IDE for the project, we do the code changes and then use docker to test the code changes.
As this is quite a tedious task where there is no way to debug the code except the very basic echo
statements.
Solutions
The requirement is developing the framework in PHP to achieve following goals:
Every application which ties to Owasp VulnerableApp-Facade/VulnerableApp has a scanner endpoint that exposes information about VulnerableApplication which will be used by DAST tools like OWASP ZAP.
we already exposed this information in Owasp VulnerableApp: https://github.com/SasanLabs/VulnerableApp/blob/master/src/main/java/org/sasanlabs/controller/VulnerableAppRestController.java#L91
we would like to expose similar information. If you want to look at how it works then start OWASP VulnerableApp-facade application using https://github.com/SasanLabs/VulnerableApp-facade#simple-start and then visit: http://localhost/VulnerableApp/scanner endpoint, you will see the json exposed. we need similar json structure from VulnerableApp-php as well.
Is your feature request related to a problem? Please describe.
Currently, there is no level in Unrestricted File Upload that doesn't have a check on the size of the file uploaded.
Describe the solution you'd like
Adding a new level in File Upload Vulnerability with no size restriction such that it can cause DDOS in the vulnerableapp-php.
Project doesn't have logger integration.
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.