Thanks to visit codestin.com
Credit goes to github.com

Skip to content

Releases: SasanLabs/VulnerableApp

VulnerableApp-2.1.0

Choose a tag to compare

@preetkaran20 preetkaran20 released this 03 Jul 01:20
668ab14

🎉 VulnerableApp 2.1.0

A major release packed with new vulnerability modules, infrastructure hardening, and strong community growth — 18 new contributors joined this cycle!

🛡️ New Vulnerability Modules

  1. Authentication Vulnerability Module — full implementation, including a new "Low Iteration Password Hashing" challenge level (@ayash911, @aryankshl)
  2. Cache Poisoning — brand new vulnerability class added (@luks-santos)
  3. IDOR Module — enhanced with secure token handling (@Etoile-Bleu)
  4. Cryptographic Failures — module enhancements (@aashpis)
  5. Open Redirect — phishing-aware levels added (Levels 9, 10, 11) (@StevenTaing2, @Jhalak19-Sethi, @polcm005), plus payload/message-key improvements (@An16og)
  6. Clickjacking — Challenge mode support added (@Clark1945)
  7. Authentication — Challenge mode added (@luks-santos)

🧩 New Framework: Challenge Cards

A new @ChallengeCard annotation system was introduced for structured, gamified vulnerability challenges (@aryankshl) — now rolled out across multiple modules.

🏗️ Infrastructure & Tooling

  1. Docker-based dashboard added (@harveenkaur2912)
  2. Scanner benchmark framework for DAST/SAST coverage (@MukulGhare)
  3. llmforge build migrated to a Docker Hub image for easier setup (@aruzaphoenix)
  4. @Profile("public"/"unsafe") safeguards added across vulnerability controllers to separate safe/unsafe deployment modes (@prajp98)
  5. Extra scanner path configuration support (@nguyenvulong)
  6. @antriksh-9 — Enhanced the first-time contributor workflow
  7. @MixhizoR — Added secure variants to Http3xxStatusCodeBasedInjection annotations

📚 Documentation & Community

  1. New organizational usage documentation added (@CharanTeja-6825)
  2. University of Adelaide added to the usage showcase (@aruzaphoenix)
  3. Design documentation grammar and formatting cleanup (@muhammadrehanazam)
  4. Facade schema population work (@saurabhkushwaha438)

📊 By the Numbers

~66 merged PRs
21 contributors
Continued momentum on infra hardening, new challenge types, and onboarding polish

Full changelog: 2.0.1...2.1.0

VulnerableApp-2.0.1

Choose a tag to compare

@github-actions github-actions released this 29 Mar 01:11
0b05858

This release introduces major enhancements to VulnerableApp, including the addition of LLM-focused security labs, new vulnerabilities, and improvements across the platform.

🔥 Highlights

🤖 Introducing LLMForge (NEW)

We are excited to launch LLMForge, a new application within VulnerableApp focused on LLM (Large Language Model) security vulnerabilities.

LLMForge enables learners and security researchers to:

Explore real-world LLM attack vectors
Understand emerging risks like prompt injection, data leakage, and unsafe tool usage
Practice exploiting and mitigating vulnerabilities in AI-powered applications

LLMForge is accessible via the Docker setup. Simply run:
docker-compose up -d
and access VulnerableApp along with LLMForge at:
http://localhost

This marks a significant step in expanding VulnerableApp beyond traditional web security into AI security education.

🛡️ New Vulnerabilities Added

🔓 IDOR (Insecure Direct Object Reference)

Added a complete IDOR vulnerability lab
Includes multiple levels for progressive learning
Refactored for better clarity and extensibility

🪟 Clickjacking

Introduced a new Clickjacking vulnerability scenario
Includes both vulnerable and fixed implementations for comparison

🧬 LDAP Injection

New LDAP Injection vulnerability added
Improved level design and feedback based on testing iterations

🧰 Improvements & Fixes

✅ Fixed Clickjacking vulnerability implementation in modern UI
✅ Added ping utility to Docker base image (fixes Command Injection lab issues)
✅ Improved documentation for modern UI testing workflows
✅ Updated internationalized README files to align with the English version
✅ General code refactoring and stability improvements across vulnerability modules

👥 New Contributors

We’re thrilled to welcome new contributors to the project 🎉
@Roshan1299 – Clickjacking vulnerability
@monssefbaakka – i18n documentation updates
@PrakarshSrivastav – Testing scripts & documentation
@zeel2104 – Docker fixes for command injection

Special Mention

Special thanks to @antriksh-9 and @Roshan1299 for their outstanding contributions to this release.
@antriksh-9 delivered high-impact work by building core vulnerability labs including IDOR and LDAP Injection, significantly strengthening the platform’s security coverage.
@Roshan1299 contributed the Clickjacking vulnerability, adding important client-side attack scenarios to the application.

📦 Full Changelog
👉 1.13...2.0.1

🚀 VulnerableApp Release v2.0.0

Choose a tag to compare

@preetkaran20 preetkaran20 released this 28 Mar 20:00
a30bae4

This release introduces major enhancements to VulnerableApp, including the addition of LLM-focused security labs, new vulnerabilities, and improvements across the platform.

🔥 Highlights

🤖 Introducing LLMForge (NEW)

We are excited to launch LLMForge, a new application within VulnerableApp focused on LLM (Large Language Model) security vulnerabilities.

LLMForge enables learners and security researchers to:

Explore real-world LLM attack vectors
Understand emerging risks like prompt injection, data leakage, and unsafe tool usage
Practice exploiting and mitigating vulnerabilities in AI-powered applications

LLMForge is accessible via the Docker setup. Simply run:
docker-compose up -d
and access VulnerableApp along with LLMForge at:
http://localhost

This marks a significant step in expanding VulnerableApp beyond traditional web security into AI security education.

🛡️ New Vulnerabilities Added

🔓 IDOR (Insecure Direct Object Reference)

Added a complete IDOR vulnerability lab
Includes multiple levels for progressive learning
Refactored for better clarity and extensibility

🪟 Clickjacking

Introduced a new Clickjacking vulnerability scenario
Includes both vulnerable and fixed implementations for comparison

🧬 LDAP Injection

New LDAP Injection vulnerability added
Improved level design and feedback based on testing iterations

🧰 Improvements & Fixes

✅ Fixed Clickjacking vulnerability implementation in modern UI
✅ Added ping utility to Docker base image (fixes Command Injection lab issues)
✅ Improved documentation for modern UI testing workflows
✅ Updated internationalized README files to align with the English version
✅ General code refactoring and stability improvements across vulnerability modules

👥 New Contributors

We’re thrilled to welcome new contributors to the project 🎉
@Roshan1299 – Clickjacking vulnerability
@monssefbaakka – i18n documentation updates
@PrakarshSrivastav – Testing scripts & documentation
@zeel2104 – Docker fixes for command injection

Special Mention

Special thanks to @antriksh-9 and @Roshan1299 for their outstanding contributions to this release.
@antriksh-9 delivered high-impact work by building core vulnerability labs including IDOR and LDAP Injection, significantly strengthening the platform’s security coverage.
@Roshan1299 contributed the Clickjacking vulnerability, adding important client-side attack scenarios to the application.

📦 Full Changelog
👉 1.13...2.0.0

VulnerableApp-1.13

Choose a tag to compare

@preetkaran20 preetkaran20 released this 19 Feb 20:42
bb74dd6

What's Changed

  • Typo: added missing m in consumption by @kjosh in #466
  • Add JWT unit tests by @kjosh in #467
  • Add unit tests for Blind SQL Injection Vulnerability levels 1, 2, and 3 by @imertetsu in #474
  • Blind sql injection vulnerabilities secure implementations by @imertetsu in #477
  • feat: implement header param injection handling for JWT vulnerabilities by @leiberbertel in #473
  • feat(i18n): add Bengali and Marathi translation by @amritamishra01 in #484
  • fix: remove deprecated Docker compose version and pin facade image to 1.2.1 by @Aryan-Pillai7 in #489
  • Increase coverage of 'XXEVulnerability' class to 100% by @demoralizerr in #492
  • Add Gujarati langugae Translation i18N file! by @demoralizerr in #490
  • Increased Junit coverage for 'PreflightController' & 'UnrestrictedFileUpload' class by @demoralizerr in #493
  • Fix multiple issues: Docker latest tag, Korean translation, secure XSS/XXE variants, JWT levels, and Cryptographic failures vulnerability by @colloceo in #491
  • build: upgrade to java 17 and update CI workflows by @antriksh-9 in #496
  • Fix: Refactor JWT Level 13 to use cookie-based flow and vulnerable JWK verification by @subhamkumarr in #499
  • Fix: Use consistent latest Docker tag across services by @incursio-xd in #505

New Contributors

Full Changelog: 1.12.0...1.12.27

VulnerableApp-1.12.0

Choose a tag to compare

@preetkaran20 preetkaran20 released this 18 Dec 04:43
82d82d8

✨ Newer Feature

🚀 Integrations

🧪 Addition of Tests

🐞 Fixes

  • Fixed jibDockerBuild command for local testing based on Multi-Platform build in #462
  • Fixed file upload directory creation when system root directory is not writable by application. #449 by @tkomlodi in #453
  • Mocked network calls made in SSRFVulnerabilityTest fixing local build errors by @tkomlodi in #447

New Contributors

Thanks a lot for all the amazing contributions.

Full Changelog: 1.11.0...1.12.0

VulnerableApp-1.11.0

Choose a tag to compare

@github-actions github-actions released this 14 Aug 02:25
07c3842

VulnerableApp-1.10.0

Choose a tag to compare

@preetkaran20 preetkaran20 released this 03 Aug 16:22
4a53cbe

This release includes:

  1. Onboarding to new User Interface for Owasp VulnerableApp-Facade
  2. Addition of Content-Disposition based File Upload attack
  3. Introduction to 'Secure' and 'Unsecure' marker for vulnerability levels
  4. Introduction to a better descriptive payload for SQL Injections
  5. Removed sample values from Annotation
  6. Addition of expected_issues.csv file which contains the vulnerabilities presents in VulnerableApp and is used by SAST tools to evaluate themselves.

Special thanks to contributors:

  1. @nowakkamil
  2. @marcin-wrotecki
  3. @o0o-v4mp1r3-o0o
  4. @agigleux
  5. @preetkaran20

For Docker-based installation please use the following URL:
https://hub.docker.com/r/sasanlabs/owasp-vulnerableapp

Pull the image by running the following command:

docker pull sasanlabs/owasp-vulnerableapp
For running vulnerable app as docker container: docker run -p 9090:9090 --name=owasp-vulnerableapp sasanlabs/owasp-vulnerableapp:latest

Hacktoberfest contributions plus Open Redirect Vulnerability

Choose a tag to compare

@preetkaran20 preetkaran20 released this 16 Nov 16:23
f5334e8

This release includes:

  1. Added Open Redirect Vulnerability Http Status Code 3XX based
  2. Special thanks to Hacktoberfest and all the awesome contributions made by contributors, highlights:
    2.1 @devabhishekpal , Designed an amazing Logo for the project
    2.2 @hexxdump , First ever article on the project
    2.3 @pavluchenko , Removing Maven and its related dependencies
    2.4 @fengyuanyang , Introduced unit-tests to the project
    2.5 @Nimanita @hritikgupta for improving error pages and documentation

Very glad to inform that we have reached a milestone of 75 Vulnerabilities with this release.

For Docker based installation please use following URL:
https://hub.docker.com/r/sasanlabs/owasp-vulnerableapp

Pull the image by running following command:

docker pull sasanlabs/owasp-vulnerableapp
For running vulnerable app as docker container: docker run -p 9090:9090 --name=owasp-vulnerableapp sasanlabs/owasp-vulnerableapp:latest

Major release with Framework Revamp and 2 New vulnerability addition

Choose a tag to compare

@preetkaran20 preetkaran20 released this 02 Oct 11:56
cccfec7

This release comprise of addition of 2 new Vulnerabilities:

  1. File Upload Vulnerability
  2. XXE
    Also we have revamped the entire backend framework with more generic and easy to use approach so that new vulnerabilities addition is quite easy.
    Along with these, in this release we have reduced the Docker Size by 20-25 MB (using jib suggested by @hemantgs ).
    We have also updated the documentation and a new website is added.

This is a major release with 141 commits, with 2,853 additions and 1,709 deletions.
Thanks to all the contributors:

  1. @preetkaran20
  2. @hemantgs
  3. @hritikgupta

For Docker based installation please use following URL:
https://hub.docker.com/r/sasanlabs/owasp-vulnerableapp

Pull the image by running following command:

docker pull sasanlabs/owasp-vulnerableapp
For running vulnerable app as docker container: docker run -p 9090:9090 --name=owasp-vulnerableapp sasanlabs/owasp-vulnerableapp:latest

Adding Persistent XSS vulnerability

Choose a tag to compare

@preetkaran20 preetkaran20 released this 08 Aug 20:04
25e5514

This release comprise of addition of Persistent XSS Vulnerability.

For Docker based installation please use following URL:
https://hub.docker.com/r/sasanlabs/owasp-vulnerableapp

Pull the image by running following command: docker pull sasanlabs/owasp-vulnerableapp
For running vulnerable app as docker container: docker run -p 9090:9090 --name=owasp-vulnerableapp sasanlabs/owasp-vulnerableapp:latest