Govulnapi

Govulnapi is a deliberately vulnerable API written in Go showcasing common security flaws that are made while developing an application backend. Govulnapi aims be be concise in respect to vulnerabilities it implements as to lower the entry barrier for junior security researchers (e.g. "Use of Weak Hash" weakness can be found in the codebase by searching for a comment containing its corresponding id CWE-328).

Setup

With docker

1. git clone --depth 1 https://github.com/govulnapi/govulnapi.git
2. cd govulnapi
3. make build
4. make run

Servers

• Web client: http://localhost:8080/
• API documentation: http://localhost:8081/
• Virtual Coingecko: http://localhost:8082/

Implemented vulnerabilities

OWASP Top 10 2023 - draft (TBD)

OWASP Top 10 2021

• A01 - Broken Access Control

  • CWE-276: Incorrect Default Permissions
  • CWE-639: Authorization Bypass Through User-Controlled Key
  • CWE-942: Permissive Cross-domain Policy with Untrusted Domains

• A02 - Cryptographic Failures

  • CWE-327: Use of a Broken or Risky Cryptographic Algorithm
  • CWE-319: Cleartext Transmission of Sensitive Information
  • CWE-328: Use of Weak Hash
  • CWE-340: Generation of Predictable Numbers or Identifiers
  • CWE-523: Unprotected Transport of Credentials
  • CWE-759: Use of a One-Way Hash without a Salt
  • CWE-916: Use of Password Hash With Insufficient Computational Effort

• A03 - Injection

  • CWE-20: Improper Input Validation
  • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
  • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

• A04 - Insecure Design

  • CWE-256: Plaintext Storage of a Password
  • CWE-472: External Control of Assumed-Immutable Web Parameter
  • CWE-598: Use of GET Request Method With Sensitive Query Strings

• A05 - Security Misconfiguration

  • CWE-547: Use of Hard-coded, Security-relevant Constants
  • CWE-614: Sensitive Cookie in HTTPS Session Without 'Secure' Attribute
  • CWE-1004: Sensitive Cookie Without 'HttpOnly' Flag

• A06 - Vulnerable and Outdated Components

  • CWE-1104: Use of Unmaintained Third Party Components

• A07 - Identification and Authentication Failures

  • CWE-262: Not Using Password Aging
  • CWE-521: Weak Password Requirements
  • CWE-549: Missing Password Field Masking
  • CWE-620: Unverified Password Change

• A08 - Software and Data Integrity Failures

  • CWE-613: Insufficient Session Expiration
  • CWE-915: Improperly Controlled Modification of Dynamically-Determined Object Attributes

• A09 - Security Logging and Monitoring Failures

  • CWE-223: Omission of Security-relevant Information
  • CWE-532: Insertion of Sensitive Information into Log File
  • CWE-778: Insufficient Logging

• A10 - Server-Side Request Forgery

  • CWE-441: Unintended Proxy or Intermediary ('Confused Deputy')