This application contains intentionally vulnerable code for educational purposes only!
This is an interactive educational project that demonstrates common security vulnerabilities in .NET applications. Each vulnerability is reproduced in a real working .NET environment where you can debug, explore, and understand what NOT to do, along with recommended secure practices.
- Learn by Example: See real vulnerable code in action
- Debug and Explore: Step through vulnerable code paths
- Learn Best Practices: Each example includes secure alternatives
- CWE (Common Weakness Enumeration) References: Every vulnerability links to official CWE documentation for pro insights
Note
This repository compliments the following YouTube video: I Built the Most Insecure .NET App
-
SQL Injection (CWE-89)
Executing arbitrary SQL commands through string concatenation in queries -
Command Injection (CWE-78)
Executing system commands via Process.Start with user input -
Code Injection (CSharpScript) (CWE-94)
Executing arbitrary C# code through dynamic script evaluation -
Template Injection (CWE-1336)
Injecting code into template engines (Razor, etc.) -
LDAP Injection (CWE-90)
Manipulating LDAP queries through unsafe search filters -
XPath Injection (CWE-643)
Manipulating XPath queries to XML documents -
XML Injection (CWE-91)
Injecting malicious XML content -
CRLF Injection (CWE-93)
Injecting carriage return and line feed characters -
Expression Language Injection (Dynamic LINQ) (CWE-917)
Injecting code into dynamic LINQ expressions -
JSON Injection (CWE-91)
Manipulating JSON serialization/deserialization -
Log Injection (Log Forging) (CWE-117)
Injecting malicious data into logs through improper sanitization
-
Stored XSS (CWE-79)
Storing and displaying HTML content from database without sanitization -
Reflected XSS (CWE-79)
Displaying URL parameters without escaping in HTML -
XSS With JS Interop (CWE-79)
Client-side JavaScript manipulation with user input -
XSS via Attributes (CWE-79)
Injecting malicious code into HTML attributes -
XSS via SVG (CWE-79)
Embedding JavaScript in SVG files -
XSS via File Upload (CWE-79)
Uploading HTML files with malicious scripts -
XSS via CSS (CWE-79)
Using CSS expressions for code execution
-
Hardcoded Credentials (CWE-798)
Usernames and passwords hardcoded in source code -
Missing Authorization Check (CWE-862)
API endpoints accessible without authorization checks -
Broken JWT Implementation (CWE-347)
JWT without signature validation -
Privilege Escalation (CWE-269)
Modifying user role through form field -
Insecure Direct Object Reference (IDOR) (CWE-639)
Accessing other users' data by modifying ID parameters -
Password Reset Poisoning (CWE-640)
Host header injection in password reset -
Weak Password Requirements (CWE-521)
Allowing weak passwords
-
Weak Hashing (MD5/SHA1) (CWE-327)
Using cryptographically weak hashing algorithms -
ECB Mode Encryption (CWE-327)
Using Electronic Codebook mode -
Insufficient Key Length (CWE-326)
Using short encryption keys (DES, 3DES) -
No Salt in Password Hashing (CWE-759)
Hashing passwords without unique salt -
Predictable Random Numbers (CWE-338)
Using Random instead of cryptographically secure generator -
Improper Certificate Validation (CWE-295)
Disabling SSL certificate validation
-
API Keys Exposure (CWE-798)
Exposing API keys in client-side code -
Sensitive Data in Logs (CWE-532)
Logging passwords, credit cards, tokens -
Verbose Error Messages (CWE-209)
Exposing stack traces and internal details -
Directory Listing (CWE-548)
Exposing directory contents -
Sensitive Data in URLs (CWE-598)
Passing tokens/passwords in query strings
-
XXE (XML External Entity) (CWE-611)
Processing untrusted XML with external entities -
Insecure Deserialization (BinaryFormatter) (CWE-502)
Using BinaryFormatter with untrusted data -
JSON Deserialization Attacks (CWE-502)
Type name handling in JSON.NET -
Insecure YAML Deserialization (CWE-502)
YAML deserialization vulnerabilities -
XML Bomb (Billion Laughs) (CWE-776)
Exponential entity expansion attack
-
Path Traversal (CWE-22)
Reading arbitrary files through path manipulation (../) -
Arbitrary File Write (CWE-73)
Writing to arbitrary file locations -
Zip Slip (CWE-22)
Archive extraction with path traversal
-
Basic SSRF (CWE-918)
Fetching URLs provided by user -
SSRF via File Upload (CWE-918)
Processing files with external references
-
Mass Assignment (CWE-915)
Over-posting attack on model binding -
Negative Quantities (CWE-20)
Accepting negative numbers in business logic -
Integer Overflow (CWE-190)
Arithmetic operations causing overflow
-
Missing Rate Limiting (CWE-799)
APIs without throttling -
CORS Misconfiguration (CWE-942)
Overly permissive CORS policy -
CSRF (Cross-Site Request Forgery) (CWE-352)
Executing unauthorized actions on behalf of authenticated users -
Excessive Data Exposure (CWE-213)
Returning more data than needed
- Browse the Categories: Start from the home page and explore vulnerabilities by category
- Read the Description: Each page explains the vulnerability and its impact
- Try the Attack: Use the provided attack payloads to see the vulnerability in action
- Debug the Code: Set breakpoints and step through the vulnerable code
- Study the Fix: Review the secure implementation recommendations
- Check CWE Links: Follow the CWE links for comprehensive security knowledge
This is an educational project. If you'd like to add more examples or enhance them, contributions are welcome!
Remember: The only way to truly understand security vulnerabilities is to see them in action. This project provides a safe, controlled environment to do exactly that. Happy learning!