Vulnerable code snippets repository showcasing different vulnerabilities to practice code analysis skills.
Website: https://acceis.github.io/avcs-website/
The code example showcased here are not suited for production use. You should run them on a secure environment. The code is intentionally vulnerable and is intended for learning purpose only.
Open Redirect:
- n°1 - open-redirect folder
Ref.
- OWASP Cheat Sheet - Unvalidated Redirects and Forwards Cheat Sheet
- CWE-601: URL Redirection to Untrusted Site ('Open Redirect')
Case Transformation Collision
- n°2 - case-transformation-collision folder
Ref.
Broken access control
- n°3 - access-control folder
Ref.
- CWE-284: Improper Access Control
- CWE-178: Improper Handling of Case Sensitivity
- CWE-1289: Improper Validation of Unsafe Equivalence in Input
SSRF
- n°4 - inconsistent-values folder
Ref.
- CWE-435: Improper Interaction Between Multiple Correctly-Behaving Entities
- CWE-436: Interpretation Conflict
- CWE-657: Violation of Secure Design Principles
- CWE-637: Unnecessary Complexity in Protection Mechanism (Not Using 'Economy of Mechanism')
- CWE-807: Reliance on Untrusted Inputs in a Security Decision
- CWE-182: Collapse of Data into Unsafe Value
- CWE-754: Improper Check for Unusual or Exceptional Conditions
- CWE-863: Incorrect Authorization
- CWE-285: Improper Authorization
SSRF
- n°5 - dns-rebinding folder
Ref.
Resource Injection
- n°6 - authentication-bypass folder
Ref.
- CWE-20: Improper Input Validation
- CWE-914: Improper Control of Dynamically-Identified Variables
- CWE-621: Variable Extraction Error
- PHP - extract
Local file disclosure
- n°7 - local-file-disclosure folder
Ref.
- CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
- CWE-23: Relative Path Traversal
- CWE-73: External Control of File Name or Path
- CWE-183: Permissive List of Allowed Inputs
- CWE-625: Permissive Regular Expression
- CWE-706: Use of Incorrectly-Resolved Name or Reference