VulnerableApp-1.13

What's Changed

• Typo: added missing m in consumption by @kjosh in #466
• Add JWT unit tests by @kjosh in #467
• Add unit tests for Blind SQL Injection Vulnerability levels 1, 2, and 3 by @imertetsu in #474
• Blind sql injection vulnerabilities secure implementations by @imertetsu in #477
• feat: implement header param injection handling for JWT vulnerabilities by @leiberbertel in #473
• feat(i18n): add Bengali and Marathi translation by @amritamishra01 in #484
• fix: remove deprecated Docker compose version and pin facade image to 1.2.1 by @Aryan-Pillai7 in #489
• Increase coverage of 'XXEVulnerability' class to 100% by @demoralizerr in #492
• Add Gujarati langugae Translation i18N file! by @demoralizerr in #490
• Increased Junit coverage for 'PreflightController' & 'UnrestrictedFileUpload' class by @demoralizerr in #493
• Fix multiple issues: Docker latest tag, Korean translation, secure XSS/XXE variants, JWT levels, and Cryptographic failures vulnerability by @colloceo in #491
• build: upgrade to java 17 and update CI workflows by @antriksh-9 in #496
• Fix: Refactor JWT Level 13 to use cookie-based flow and vulnerable JWK verification by @subhamkumarr in #499
• Fix: Use consistent latest Docker tag across services by @incursio-xd in #505

New Contributors

• @kjosh made their first contribution in #466
• @imertetsu made their first contribution in #474
• @leiberbertel made their first contribution in #473
• @amritamishra01 made their first contribution in #484
• @Aryan-Pillai7 made their first contribution in #489
• @demoralizerr made their first contribution in #492
• @colloceo made their first contribution in #491
• @antriksh-9 made their first contribution in #496
• @subhamkumarr made their first contribution in #499
• @incursio-xd made their first contribution in #505

Full Changelog: 1.12.0...1.12.27

VulnerableApp-1.12.0

✨ Newer Feature

• New unrestricted file upload size vulnerability (#351) by @tkomlodi in #454
• #406 Addition of secured implementations for Union SQL Injection by @x7Git in #452
• Building localisation support framework by @preetkaran20 in #419

🚀 Integrations

• CodeCov intergration with VulnerableApp
• Upgrade gradle to 7.5.1 version by @SampathKumarAmex in #385
• Adding reddit troubleshooting link for application by @preetkaran20 in #463
• Italian Locale support by @TheZal in #415
• Hindi Locale support by @garvit2435 in #439
• Chinese locale support by @yuhwaa in #430
• Swedish translation support by @antonsixtenson in #424
• Spanish translation support by @dafarias in #423

🧪 Addition of Tests

• Add test for PathTraversal class by @richard66033 in #456
• Add test for PathTraversal class by @richard66033 in #456
• Tests for Persistent XSS in HTML by @SeheX in #455
• Tests for ErrorBasedSQLInjection Vulnerability @13Anthony in #451
• Tests for union based sql injection by @000panther in #444
• Add SSRF Vulnerability tests by @rai-sandeep in #429

🐞 Fixes

• Fixed jibDockerBuild command for local testing based on Multi-Platform build in #462
• Fixed file upload directory creation when system root directory is not writable by application. #449 by @tkomlodi in #453
• Mocked network calls made in SSRFVulnerabilityTest fixing local build errors by @tkomlodi in #447

New Contributors

• @TheZal made their first contribution in #415
• @dafarias made their first contribution in #423
• @antonsixtenson made their first contribution in #424
• @yuhwaa made their first contribution in #430
• @rai-sandeep made their first contribution in #429
• @garvit2435 made their first contribution in #439
• @000panther made their first contribution in #444
• @tkomlodi made their first contribution in #447
• @13Anthony made their first contribution in #451
• @SeheX made their first contribution in #455
• @richard66033 made their first contribution in #456
• @x7Git made their first contribution in #452

Thanks a lot for all the amazing contributions.

Full Changelog: 1.11.0...1.12.0

VulnerableApp-1.11.0

✨ Newer Feature

• Addition of SSRF vulnerability to VulnerableApp
• Addition of Newer JWT Vulnerability level to include special Authorisation header Injection

🚀 Integrations

• Sonar Integration to VulnerableApp
• Semantic Version integration to VulnerableApp

🔥 Removed code or files

• Removed Non Vulnerable Level in Persistent XSS
• Removal of redundant VulnerabilityType and VulnerabilitySubTypes
• Removal of all the deprecated fields in VulnerableAppRequestMapping annotation and ScannerResponseBean

🧪 Addition of Tests

• Adding unit test for controller exception handler
• Addition of unit test and small fixes in XSSInImgTagAttribute
• Addition of unit test and various other fixes in OpenRedirect Vulnerability

📝 Documentation update

• Updating Hint messages for SQLInjection
• Grammar update in Project usage document
• Grammer update in Readme

🐞 Fixes

• PathTraversalVulnerability issues with Spring-boot standalone builds
• SQL Injection DB connect issue
• Addition of Secure Variant in XXE
• Marking last level as Secure in CommandInjection
• OpenRedirect vulnerability bug in Spring-boot standalone build
• Updates in PersistentXSSInHTMLTagVulnerability
• Code smell fixes(#372 and #373)

Special thanks to contributors

• @priyanka010392
• @1411dolly0
• @Monoradioactivo
• @KelvinTran6
• @SampathKumarAmex
• @jpralle
• @ehizman
• @shammer0
• @hks1
• @Emelie4
• @merry-degaga
• @NMV01
• @gled02

Special thanks for finding crucial issues

• @massot-c
• @GitHubNull
• @collapsinghierarchy

Full Changelog: 1.10.0...1.11.0

VulnerableApp-1.10.0

This release includes:

1. Onboarding to new User Interface for Owasp VulnerableApp-Facade
2. Addition of Content-Disposition based File Upload attack
3. Introduction to 'Secure' and 'Unsecure' marker for vulnerability levels
4. Introduction to a better descriptive payload for SQL Injections
5. Removed sample values from Annotation
6. Addition of expected_issues.csv file which contains the vulnerabilities presents in VulnerableApp and is used by SAST tools to evaluate themselves.

Special thanks to contributors:

1. @nowakkamil
2. @marcin-wrotecki
3. @o0o-v4mp1r3-o0o
4. @agigleux
5. @preetkaran20

For Docker-based installation please use the following URL:
https://hub.docker.com/r/sasanlabs/owasp-vulnerableapp

Pull the image by running the following command:

docker pull sasanlabs/owasp-vulnerableapp
For running vulnerable app as docker container: docker run -p 9090:9090 --name=owasp-vulnerableapp sasanlabs/owasp-vulnerableapp:latest

Hacktoberfest contributions plus Open Redirect Vulnerability

This release includes:

1. Added Open Redirect Vulnerability Http Status Code 3XX based
2. Special thanks to Hacktoberfest and all the awesome contributions made by contributors, highlights:
   2.1 @devabhishekpal , Designed an amazing Logo for the project
   2.2 @hexxdump , First ever article on the project
   2.3 @pavluchenko , Removing Maven and its related dependencies
   2.4 @fengyuanyang , Introduced unit-tests to the project
   2.5 @Nimanita @hritikgupta for improving error pages and documentation

Very glad to inform that we have reached a milestone of 75 Vulnerabilities with this release.

For Docker based installation please use following URL:
https://hub.docker.com/r/sasanlabs/owasp-vulnerableapp

Pull the image by running following command:

docker pull sasanlabs/owasp-vulnerableapp
For running vulnerable app as docker container: docker run -p 9090:9090 --name=owasp-vulnerableapp sasanlabs/owasp-vulnerableapp:latest

Major release with Framework Revamp and 2 New vulnerability addition

This release comprise of addition of 2 new Vulnerabilities:

1. File Upload Vulnerability
2. XXE
   Also we have revamped the entire backend framework with more generic and easy to use approach so that new vulnerabilities addition is quite easy.
   Along with these, in this release we have reduced the Docker Size by 20-25 MB (using jib suggested by @hemantgs ).
   We have also updated the documentation and a new website is added.

This is a major release with 141 commits, with 2,853 additions and 1,709 deletions.
Thanks to all the contributors:

1. @preetkaran20
2. @hemantgs
3. @hritikgupta

For Docker based installation please use following URL:
https://hub.docker.com/r/sasanlabs/owasp-vulnerableapp

Pull the image by running following command:

docker pull sasanlabs/owasp-vulnerableapp
For running vulnerable app as docker container: docker run -p 9090:9090 --name=owasp-vulnerableapp sasanlabs/owasp-vulnerableapp:latest

Adding Persistent XSS vulnerability

This release comprise of addition of Persistent XSS Vulnerability.

For Docker based installation please use following URL:
https://hub.docker.com/r/sasanlabs/owasp-vulnerableapp

Pull the image by running following command: docker pull sasanlabs/owasp-vulnerableapp
For running vulnerable app as docker container: docker run -p 9090:9090 --name=owasp-vulnerableapp sasanlabs/owasp-vulnerableapp:latest

Adding Path Traversal and Command Injection Vulnerabilities

Addition of 2 new vulnerabilities along with there UI.

For Docker based installation please use following URL:
https://hub.docker.com/r/sasanlabs/owasp-vulnerableapp

Pull the image by running following command: docker pull sasanlabs/owasp-vulnerableapp
For running vulnerable app as docker container: docker run -p 9090:9090 --name=owasp-vulnerableapp sasanlabs/owasp-vulnerableapp:latest

Vulnerability Scanning Tools Integration

This release comprise of:

1. Addition of sitemap.xml endpoint
2. Addition of scanner and scanner/metadata endpoint for Vulnerability Scanning Tools Integration.
3. Small UI fixes.

For Docker based installation please use following URL:
https://hub.docker.com/r/sasanlabs/owasp-vulnerableapp

Pull the image by running following command: docker pull sasanlabs/owasp-vulnerableapp
For running vulnerable app as docker container: docker run -p 9090:9090 --name=owasp-vulnerableapp sasanlabs/owasp-vulnerableapp:latest

Release 1.0.4

This release comprise of:

1. SQL Injection vulnerability
2. Few Fixes and Addition of Vulnerabilities
3. UI design modifications and Button animation
4. Spotless integration for code format

For Docker based installation please use following URL:
https://hub.docker.com/r/sasanlabs/owasp-vulnerableapp

Pull the image by running following command: docker pull sasanlabs/owasp-vulnerableapp
For running vulnerable app as docker container: docker run -p 9090:9090 --name=owasp-vulnerableapp sasanlabs/owasp-vulnerableapp:latest