Skip to content

Latest commit

 

History

History
37 lines (24 loc) · 1.29 KB

README.md

File metadata and controls

37 lines (24 loc) · 1.29 KB

Vuln-go

Intentionally vulnerable go (golang) application to test coverage of SAST tools.

All vulnerabilities are marked with // vulnerability in code.

Go web frameworks and libraries has been intentionally skipped. Custom helper functions are created using http standard library since some SAST tools might not support a web framework like gin.

Vulnerabilities

  • SQL Injection (SQLi)
  • Command Injection (RCE)
  • LFI
  • Hardcoded secret

Run

Ensure docker compose is installed.

Run the application with docker-compose up

Vulnerability Testing

Thunder Client is used to document HTTP requests for test cases as well as vulnerabilities. Folder thunder-tests in the repo contains these test cases. This makes it convenient to test various vulnerabilities.

Development

In development mode Gow is used to watch for file changes and rebuild the app.

To run in dev mode run:

docker-compose -f docker-compose-dev.yml up --build

Stop and delete volume for DB to recreate DB:

docker-compose down --remove-orphans --volumes --rmi local