Releases: SasanLabs/VulnerableApp
Release list
VulnerableApp-2.1.0
🎉 VulnerableApp 2.1.0
A major release packed with new vulnerability modules, infrastructure hardening, and strong community growth — 18 new contributors joined this cycle!
🛡️ New Vulnerability Modules
- Authentication Vulnerability Module — full implementation, including a new "Low Iteration Password Hashing" challenge level (@ayash911, @aryankshl)
- Cache Poisoning — brand new vulnerability class added (@luks-santos)
- IDOR Module — enhanced with secure token handling (@Etoile-Bleu)
- Cryptographic Failures — module enhancements (@aashpis)
- Open Redirect — phishing-aware levels added (Levels 9, 10, 11) (@StevenTaing2, @Jhalak19-Sethi, @polcm005), plus payload/message-key improvements (@An16og)
- Clickjacking — Challenge mode support added (@Clark1945)
- Authentication — Challenge mode added (@luks-santos)
🧩 New Framework: Challenge Cards
A new @ChallengeCard annotation system was introduced for structured, gamified vulnerability challenges (@aryankshl) — now rolled out across multiple modules.
🏗️ Infrastructure & Tooling
- Docker-based dashboard added (@harveenkaur2912)
- Scanner benchmark framework for DAST/SAST coverage (@MukulGhare)
- llmforge build migrated to a Docker Hub image for easier setup (@aruzaphoenix)
- @Profile("public"/"unsafe") safeguards added across vulnerability controllers to separate safe/unsafe deployment modes (@prajp98)
- Extra scanner path configuration support (@nguyenvulong)
- @antriksh-9 — Enhanced the first-time contributor workflow
- @MixhizoR — Added secure variants to Http3xxStatusCodeBasedInjection annotations
📚 Documentation & Community
- New organizational usage documentation added (@CharanTeja-6825)
- University of Adelaide added to the usage showcase (@aruzaphoenix)
- Design documentation grammar and formatting cleanup (@muhammadrehanazam)
- Facade schema population work (@saurabhkushwaha438)
📊 By the Numbers
~66 merged PRs
21 contributors
Continued momentum on infra hardening, new challenge types, and onboarding polish
Full changelog: 2.0.1...2.1.0
VulnerableApp-2.0.1
This release introduces major enhancements to VulnerableApp, including the addition of LLM-focused security labs, new vulnerabilities, and improvements across the platform.
🔥 Highlights
🤖 Introducing LLMForge (NEW)
We are excited to launch LLMForge, a new application within VulnerableApp focused on LLM (Large Language Model) security vulnerabilities.
LLMForge enables learners and security researchers to:
Explore real-world LLM attack vectors
Understand emerging risks like prompt injection, data leakage, and unsafe tool usage
Practice exploiting and mitigating vulnerabilities in AI-powered applications
LLMForge is accessible via the Docker setup. Simply run:
docker-compose up -d
and access VulnerableApp along with LLMForge at:
http://localhost
This marks a significant step in expanding VulnerableApp beyond traditional web security into AI security education.
🛡️ New Vulnerabilities Added
🔓 IDOR (Insecure Direct Object Reference)
Added a complete IDOR vulnerability lab
Includes multiple levels for progressive learning
Refactored for better clarity and extensibility
🪟 Clickjacking
Introduced a new Clickjacking vulnerability scenario
Includes both vulnerable and fixed implementations for comparison
🧬 LDAP Injection
New LDAP Injection vulnerability added
Improved level design and feedback based on testing iterations
🧰 Improvements & Fixes
✅ Fixed Clickjacking vulnerability implementation in modern UI
✅ Added ping utility to Docker base image (fixes Command Injection lab issues)
✅ Improved documentation for modern UI testing workflows
✅ Updated internationalized README files to align with the English version
✅ General code refactoring and stability improvements across vulnerability modules
👥 New Contributors
We’re thrilled to welcome new contributors to the project 🎉
@Roshan1299 – Clickjacking vulnerability
@monssefbaakka – i18n documentation updates
@PrakarshSrivastav – Testing scripts & documentation
@zeel2104 – Docker fixes for command injection
Special Mention
Special thanks to @antriksh-9 and @Roshan1299 for their outstanding contributions to this release.
@antriksh-9 delivered high-impact work by building core vulnerability labs including IDOR and LDAP Injection, significantly strengthening the platform’s security coverage.
@Roshan1299 contributed the Clickjacking vulnerability, adding important client-side attack scenarios to the application.
📦 Full Changelog
👉 1.13...2.0.1
🚀 VulnerableApp Release v2.0.0
This release introduces major enhancements to VulnerableApp, including the addition of LLM-focused security labs, new vulnerabilities, and improvements across the platform.
🔥 Highlights
🤖 Introducing LLMForge (NEW)
We are excited to launch LLMForge, a new application within VulnerableApp focused on LLM (Large Language Model) security vulnerabilities.
LLMForge enables learners and security researchers to:
Explore real-world LLM attack vectors
Understand emerging risks like prompt injection, data leakage, and unsafe tool usage
Practice exploiting and mitigating vulnerabilities in AI-powered applications
LLMForge is accessible via the Docker setup. Simply run:
docker-compose up -d
and access VulnerableApp along with LLMForge at:
http://localhost
This marks a significant step in expanding VulnerableApp beyond traditional web security into AI security education.
🛡️ New Vulnerabilities Added
🔓 IDOR (Insecure Direct Object Reference)
Added a complete IDOR vulnerability lab
Includes multiple levels for progressive learning
Refactored for better clarity and extensibility
🪟 Clickjacking
Introduced a new Clickjacking vulnerability scenario
Includes both vulnerable and fixed implementations for comparison
🧬 LDAP Injection
New LDAP Injection vulnerability added
Improved level design and feedback based on testing iterations
🧰 Improvements & Fixes
✅ Fixed Clickjacking vulnerability implementation in modern UI
✅ Added ping utility to Docker base image (fixes Command Injection lab issues)
✅ Improved documentation for modern UI testing workflows
✅ Updated internationalized README files to align with the English version
✅ General code refactoring and stability improvements across vulnerability modules
👥 New Contributors
We’re thrilled to welcome new contributors to the project 🎉
@Roshan1299 – Clickjacking vulnerability
@monssefbaakka – i18n documentation updates
@PrakarshSrivastav – Testing scripts & documentation
@zeel2104 – Docker fixes for command injection
Special Mention
Special thanks to @antriksh-9 and @Roshan1299 for their outstanding contributions to this release.
@antriksh-9 delivered high-impact work by building core vulnerability labs including IDOR and LDAP Injection, significantly strengthening the platform’s security coverage.
@Roshan1299 contributed the Clickjacking vulnerability, adding important client-side attack scenarios to the application.
📦 Full Changelog
👉 1.13...2.0.0
VulnerableApp-1.13
What's Changed
- Typo: added missing m in consumption by @kjosh in #466
- Add JWT unit tests by @kjosh in #467
- Add unit tests for Blind SQL Injection Vulnerability levels 1, 2, and 3 by @imertetsu in #474
- Blind sql injection vulnerabilities secure implementations by @imertetsu in #477
- feat: implement header param injection handling for JWT vulnerabilities by @leiberbertel in #473
- feat(i18n): add Bengali and Marathi translation by @amritamishra01 in #484
- fix: remove deprecated Docker compose version and pin facade image to 1.2.1 by @Aryan-Pillai7 in #489
- Increase coverage of 'XXEVulnerability' class to 100% by @demoralizerr in #492
- Add Gujarati langugae Translation i18N file! by @demoralizerr in #490
- Increased Junit coverage for 'PreflightController' & 'UnrestrictedFileUpload' class by @demoralizerr in #493
- Fix multiple issues: Docker latest tag, Korean translation, secure XSS/XXE variants, JWT levels, and Cryptographic failures vulnerability by @colloceo in #491
- build: upgrade to java 17 and update CI workflows by @antriksh-9 in #496
- Fix: Refactor JWT Level 13 to use cookie-based flow and vulnerable JWK verification by @subhamkumarr in #499
- Fix: Use consistent latest Docker tag across services by @incursio-xd in #505
New Contributors
- @kjosh made their first contribution in #466
- @imertetsu made their first contribution in #474
- @leiberbertel made their first contribution in #473
- @amritamishra01 made their first contribution in #484
- @Aryan-Pillai7 made their first contribution in #489
- @demoralizerr made their first contribution in #492
- @colloceo made their first contribution in #491
- @antriksh-9 made their first contribution in #496
- @subhamkumarr made their first contribution in #499
- @incursio-xd made their first contribution in #505
Full Changelog: 1.12.0...1.12.27
VulnerableApp-1.12.0
✨ Newer Feature
- New unrestricted file upload size vulnerability (#351) by @tkomlodi in #454
- #406 Addition of secured implementations for Union SQL Injection by @x7Git in #452
- Building localisation support framework by @preetkaran20 in #419
🚀 Integrations
- CodeCov intergration with VulnerableApp
- Upgrade gradle to 7.5.1 version by @SampathKumarAmex in #385
- Adding reddit troubleshooting link for application by @preetkaran20 in #463
- Italian Locale support by @TheZal in #415
- Hindi Locale support by @garvit2435 in #439
- Chinese locale support by @yuhwaa in #430
- Swedish translation support by @antonsixtenson in #424
- Spanish translation support by @dafarias in #423
🧪 Addition of Tests
- Add test for PathTraversal class by @richard66033 in #456
- Add test for PathTraversal class by @richard66033 in #456
- Tests for Persistent XSS in HTML by @SeheX in #455
- Tests for ErrorBasedSQLInjection Vulnerability @13Anthony in #451
- Tests for union based sql injection by @000panther in #444
- Add SSRF Vulnerability tests by @rai-sandeep in #429
🐞 Fixes
- Fixed jibDockerBuild command for local testing based on Multi-Platform build in #462
- Fixed file upload directory creation when system root directory is not writable by application. #449 by @tkomlodi in #453
- Mocked network calls made in SSRFVulnerabilityTest fixing local build errors by @tkomlodi in #447
New Contributors
- @TheZal made their first contribution in #415
- @dafarias made their first contribution in #423
- @antonsixtenson made their first contribution in #424
- @yuhwaa made their first contribution in #430
- @rai-sandeep made their first contribution in #429
- @garvit2435 made their first contribution in #439
- @000panther made their first contribution in #444
- @tkomlodi made their first contribution in #447
- @13Anthony made their first contribution in #451
- @SeheX made their first contribution in #455
- @richard66033 made their first contribution in #456
- @x7Git made their first contribution in #452
Thanks a lot for all the amazing contributions.
Full Changelog: 1.11.0...1.12.0
VulnerableApp-1.11.0
✨ Newer Feature
- Addition of SSRF vulnerability to VulnerableApp
- Addition of Newer JWT Vulnerability level to include special Authorisation header Injection
🚀 Integrations
🔥 Removed code or files
- Removed Non Vulnerable Level in Persistent XSS
- Removal of redundant VulnerabilityType and VulnerabilitySubTypes
- Removal of all the deprecated fields in VulnerableAppRequestMapping annotation and ScannerResponseBean
🧪 Addition of Tests
- Adding unit test for controller exception handler
- Addition of unit test and small fixes in XSSInImgTagAttribute
- Addition of unit test and various other fixes in OpenRedirect Vulnerability
📝 Documentation update
- Updating Hint messages for SQLInjection
- Grammar update in Project usage document
- Grammer update in Readme
🐞 Fixes
- PathTraversalVulnerability issues with Spring-boot standalone builds
- SQL Injection DB connect issue
- Addition of Secure Variant in XXE
- Marking last level as Secure in CommandInjection
- OpenRedirect vulnerability bug in Spring-boot standalone build
- Updates in PersistentXSSInHTMLTagVulnerability
- Code smell fixes(#372 and #373)
Special thanks to contributors
- @priyanka010392
- @1411dolly0
- @Monoradioactivo
- @KelvinTran6
- @SampathKumarAmex
- @jpralle
- @ehizman
- @shammer0
- @hks1
- @Emelie4
- @merry-degaga
- @NMV01
- @gled02
Special thanks for finding crucial issues
Full Changelog: 1.10.0...1.11.0
VulnerableApp-1.10.0
This release includes:
- Onboarding to new User Interface for Owasp VulnerableApp-Facade
- Addition of Content-Disposition based File Upload attack
- Introduction to 'Secure' and 'Unsecure' marker for vulnerability levels
- Introduction to a better descriptive payload for SQL Injections
- Removed sample values from Annotation
- Addition of expected_issues.csv file which contains the vulnerabilities presents in VulnerableApp and is used by SAST tools to evaluate themselves.
Special thanks to contributors:
For Docker-based installation please use the following URL:
https://hub.docker.com/r/sasanlabs/owasp-vulnerableapp
Pull the image by running the following command:
docker pull sasanlabs/owasp-vulnerableapp
For running vulnerable app as docker container: docker run -p 9090:9090 --name=owasp-vulnerableapp sasanlabs/owasp-vulnerableapp:latest
Hacktoberfest contributions plus Open Redirect Vulnerability
This release includes:
- Added Open Redirect Vulnerability Http Status Code 3XX based
- Special thanks to Hacktoberfest and all the awesome contributions made by contributors, highlights:
2.1 @devabhishekpal , Designed an amazing Logo for the project
2.2 @hexxdump , First ever article on the project
2.3 @pavluchenko , Removing Maven and its related dependencies
2.4 @fengyuanyang , Introduced unit-tests to the project
2.5 @Nimanita @hritikgupta for improving error pages and documentation
Very glad to inform that we have reached a milestone of 75 Vulnerabilities with this release.
For Docker based installation please use following URL:
https://hub.docker.com/r/sasanlabs/owasp-vulnerableapp
Pull the image by running following command:
docker pull sasanlabs/owasp-vulnerableapp
For running vulnerable app as docker container: docker run -p 9090:9090 --name=owasp-vulnerableapp sasanlabs/owasp-vulnerableapp:latest
Major release with Framework Revamp and 2 New vulnerability addition
This release comprise of addition of 2 new Vulnerabilities:
- File Upload Vulnerability
- XXE
Also we have revamped the entire backend framework with more generic and easy to use approach so that new vulnerabilities addition is quite easy.
Along with these, in this release we have reduced the Docker Size by 20-25 MB (using jib suggested by @hemantgs ).
We have also updated the documentation and a new website is added.
This is a major release with 141 commits, with 2,853 additions and 1,709 deletions.
Thanks to all the contributors:
For Docker based installation please use following URL:
https://hub.docker.com/r/sasanlabs/owasp-vulnerableapp
Pull the image by running following command:
docker pull sasanlabs/owasp-vulnerableapp
For running vulnerable app as docker container: docker run -p 9090:9090 --name=owasp-vulnerableapp sasanlabs/owasp-vulnerableapp:latest
Adding Persistent XSS vulnerability
This release comprise of addition of Persistent XSS Vulnerability.
For Docker based installation please use following URL:
https://hub.docker.com/r/sasanlabs/owasp-vulnerableapp
Pull the image by running following command: docker pull sasanlabs/owasp-vulnerableapp
For running vulnerable app as docker container: docker run -p 9090:9090 --name=owasp-vulnerableapp sasanlabs/owasp-vulnerableapp:latest