Skip to content

Omegapoint/facepalm

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

76 Commits

docs

docs

 
 

gradle/wrapper

gradle/wrapper

 
 

src

src

 
 

workshops

workshops

 
 

.gitignore

.gitignore

 
 

.travis.yml

.travis.yml

 
 

LICENSE

LICENSE

 
 

README.md

README.md

 
 

build.gradle

build.gradle

 
 

facepalm-0.0.1-SNAPSHOT.jar

facepalm-0.0.1-SNAPSHOT.jar

 
 

facepalm.png

facepalm.png

 
 

gradlew

gradlew

 
 

gradlew.bat

gradlew.bat

 
 

run_application.sh

run_application.sh

 
 

Repository files navigation

Facepalm Build Status

Most 'insecure' test web applications today does not feel like a real application, whether it's DVWA (PHP) or WebGoat etc. Facepalm is intended to be just that, a real application which happens to have severe security vulnerability. The application is a fused clone of Instagram, Facebook and 9gag

The application is written in Java 8 together with Spring Boot. As the source code is fully available, the application is suitable for workshops where one learns to detect and solve security issues.

Please note that the security vulnerabilities are intended and should not be fixed by future contributers.

Workshops

As this application is intended for workshops, some existing workshops can be found in the workshop directory.

Current workshops are:

  • SQL Injection
    1. Login POST injection (blind attack)
    2. GET parameter injection. Display data graphically
    3. Automatic tool: SQLMap
  • Cross-site scripting attacks (XSS)
    1. Reflected (non-persistent) XSS (server-side template)
    2. Stored (persistent) XSS (server-side template)
  • Command Execution
    1. Display content of random file on filesystem
    2. Execute arbitrary command on server
  • Session theft
    1. Steal insecure cookie and overtake login

I just want to test it!

There is a jar available at the root of the repository (which can be downloaded directly from Github page). The jar might be out of date since it will most likely not be refreshed on each commit. Just at on risk, best is always to build yourself!

Technologies

Some of the technologies used

  • Java 8
  • Spring Boot (and the rest of the Spring family)
  • Thymeleaf (for template rendering)
  • Gradle (for dependency management)
  • Hibernate/JPA (for ORM/database)
  • HSQLDB (for in-memory database). "Allows" SQLMap attack (which H2 does not)

Setup for developers

Editor (IntelliJ)

  1. Clone the repository
  2. Open cloned folder inside editor
  3. Open "Application.java", run main method
  4. Open a browser and go to http://localhost:8080

Standalone (no editor, using start script)

  1. Clone the repository
  2. Start application with
./run_application.sh
  1. Open a browser and go to http://localhost:8080

Standalone (no editor)

  1. Clone the repository
  2. Build using gradle
./gradlew build
  1. Copy build/libs/facepalm-x.x.x-SNAPSHOT.jar to some directory
  2. Copy 'docs'-folder to same directory
  3. Start application with
java -jar facepalm-x.x.x-SNAPSHOT.jar
  1. Open a browser and go to http://localhost:8080

Links

Copyrights

About

Insecure application for workshops

Resources

Readme

License

Apache-2.0 license

Security policy

Security policy
Activity
Custom properties

Stars

5 stars

Watchers

32 watching

Forks

3 forks
Report repository

Releases

No releases published

Packages

No packages published

Contributors 4

  •  
  •  
  •  
  •  

Languages