This project is an ASP.NET Core 6 MVC application designed to demonstrate common web application vulnerabilities. It serves as a training ground for developers and security professionals to understand how these vulnerabilities work and how to identify them.

• Login Bypass: Authentication logic uses string concatenation, allowing attackers to bypass login without a valid password.
• Data Extraction: Search functionality allows UNION-based attacks to extract data from other tables.

• Reflected XSS: Search query input is reflected back to the user without encoding.
• Stored XSS: Comments section saves unsanitized input to the database, which is then rendered to all users.

• Command Injection: A ping utility that concatenates user input into a shell command.
• Insecure Deserialization: Uses the deprecated and dangerous BinaryFormatter to deserialize uploaded files.

• Vulnerable Dependencies: The project intentionally references outdated NuGet packages with known CVEs (e.g., Newtonsoft.Json 12.0.1).

• .NET 6.0 SDK

1. Navigate to the project directory:

   cd VulnerableApp

2. Build the project:

   dotnet build

3. Run the application:

   dotnet run

4. Open your browser and navigate to http://localhost:5000 (or the port shown in the console).

Each vulnerability page includes:

• A description of the vulnerability.
• The vulnerable code snippet.
• An interactive form to exploit the vulnerability.

The authors of this project are not responsible for any misuse of this application. It is provided "as is" for educational purposes only.