Vulnerable Code Snippets

Vulnerabilities | Programming languages | Run a vulnerable code snippet | Installation | Update

YesWeHack present code snippets containing several different vulnerabilities to practice your code analysis in a safe dockerized envoriment. The vulnerable code snippets are suitable for all skill levels.

~ New vulnerable code snippet at Twitter @yeswehack every Friday! 🗒

If you want to see something special or if you just have an idea about a vulnerable code snippet, feel free to create a "New Issue" where you explain your idea, no idea is stupid.

---

⚠️ Be aware

Be sure to run this in a secure environment, as the code is vulnerable and is intended to be used for learning code analysis! By default, all vulnerable code snippets contain a docker setup that isolates the code from your host system and make it safe to run (read more in the section : "Run a vulnerable code snippet").

Twitter (X) posts

A Collection of all vulnerable code snippets posted on our Twitter 📂

ID	Vulnerability	Description
📜#1	SQLi & XSS	Backslash filter collide
📜#2	Improper file access & XSS	Invalid char and regex verificaion
📜#3	Log Forging injection, Path traversal & Code injection	Poor filter and improper include() handling
📜#4	XSS	Invalid user input filter
📜#5	SSRF & Broken authorization	Trusted user input and client IP from header
📜#6	SSTI	Mixed input format
📜#7	SQLi	Use of invalid variable within statement
📜#8	CSRF	No CSRF token included
📜#9	Open Redirect	Invalid regex handler
📜#10	DOM XSS	Backend filter collide with client side JavaScript
📜#11	CORS	Misconfigured Access-Control-Allow header
📜#12	CSRF/ClickJacking	GET request CSRF with insecure delete process / ClickJacking - X-Frame-Options set in HTML meta tag
📜#13	Path Traversal/Unrestricted File Upload	Poor Path Traversal and file upload protection results in a code injection
📜#14	DOS	Incorrect operator handler in "for loop"
📜#15	Weak Password Recovery Mechanism for Forgotten Password	Weak hash for password recovery
📜#16	IDOR	insecure if statement leads to improper access control
📜#17	Insecure deserialization	Execute trusted user input inside pickle function loads()
📜#18	Path Traversal	Improper user validation of filename
📜#19	Open Redirect	Invalid handling of user-controlled input "location.hash"
📜#20	SQL injection	Invalid use of function replace(), The char is only replaced once
📜#21	PostMessage DOM XSS	No origin validation, leading to PostMessage DOM XSS
📜#22	XSS/OpenRedirect	The filter protection does not filter all special characters that can be used to exploit the vulnerabilities
📜#23	Buffer overflow	Take user's STDIN input with the gets() function without checking the buffer size
📜#24	SQL injection	Incorrect use of the PHP function addslashes()
📜#25	XSS - CSP bypass	No validation of user input along with insecure handling of nonce
📜#26	Path Traversal	The filter provided by the PHP function "preg_replace()" is limited to filtering only the first 10 characters
📜#27	Web Cache Poisoning	The HTTP header Referer is reflected in the cached response body without being filtered
📜#28	Business logic vulnerability	An attacker can withdraw negative amounts to increase the overall balance of their account
📜#29	IDOR	An attacker can gain access to sensitive data from other users by performing a Forced browsing attack
📜#30	Insecure deserialization	Use of a dangerous function (exec) that can be controlled by the user, resulting in an RCE
📜#31	LFI	No proper character escaping or filter verification. The include() function executes all PHP code in the given file, no matter the file extension, resulting in code injection
📜#32	Format injection!	Format a string containing values provided by the client, resulting in a format injection
📜#33	SQL injection (second order)	All SQL queries use prepared statements except the last one. This statement extracts a value from the database that was once controlled by the user and adds it to the SQL query, leading to an SQL injection (second order)
📜#34	Regular expression Denial of Service (ReDoS)	Poorly configured regex pattern used to filter user-controlled input
📜#35	XSS	Trusted user input in GET parameter
📜#36	Unrestricted File Upload	Insufficient validation of the file extension of the uploaded file and missed validation of the file content
📜#37	SSRF	Insecure handling of the proxy header X-Forwarded-Host and cURL leading to a full SSRF
📜#38	Code injection	The user can write customised content to a selected file which is then launched on the vulnerable system
📜#39	LFI	Exploitation of an LFI make it possible to run the tool pearcmd resulting in a remote code execution
📜#40	Unrestricted File Upload	The php3 extension can be used to execute php code due to the configuration in the Apache proxy.
📜#41	Command injection	Invalid usage of escapeshellcmd lead to a command injection vulnerability
📜#42	Command injection	No validation of user input is performed, leading to a command injection vulnerability
📜#43	SSTI	Improper usage of templte engine leading to a SSTI which result in an RCE

Vulnerabilities

• Broken access control - CWE-284
• Code injection - CWE-94
• Cross Site Request Forgery (CSRF) - CWE-352
• SQL injection (SQLi) - CWE-89
• Cross Site Scripting (XSS) - CWE-79
• Open Redirect - CWE-601
• Server-side template injection (SSTI) - CWE-1336
• Server Side Request Forgery (SSRF) - CWE-918
• Cross Origin Resource Sharing (CORS) - CWE-942
• Clickjacking - CWE-1021
• Unrestricted File Upload - CWE-434
• Path Traversal - CWE-35
• Denial Of Service - CWE-400
• Weak Password Recovery Mechanism for Forgotten Password - CWE-640
• Insecure Direct Object Reference (IDOR) - CWE-639
• Deserialization Of Untrusted Data - CWE-502
• Local File Inclusion - CWE-98
• Buffer Overflow - CWE-120
• Acceptance of Extraneous Untrusted Data With Trusted Data ("Cache Poisoning") - CWE-349
• Business Logic Errors - CWE-840
• Format injection - CWE-134
• Command injection - CWE-77

Programming languages

• PHP
• Python
• Golang
• Java
• JavaScript
• C

Also included

• SQL (MySQL)
• HTML
• CSS

---

Run a vulnerable code snippet

In each vulnerable code snippet (Vsnippet) folder there is a docker-compose.yml file. To start a Vsnippet in an isolated docker environment simply run the following command:

docker compose up --build

or

docker-compose up --build

Installation

git clone https://github.com/yeswehack/vulnerable-code-snippets.git

Update

To get the latest vulnerable code snippets, run:

git pull

~ H4v3 y0u f0und th3 E4st3r 3gg y3t? 🐇🪺

For questions, help or if you have discovered a problem with the code. Contact us on Twitter: @yeswehack 📬