CalvinBackup/fuzzforge_ai
1
0
Fork 0
mirror of https://github.com/FuzzingLabs/fuzzforge_ai.git synced 2026-05-22 20:59:39 +02:00
Code Issues Packages Projects Releases Wiki Activity

Initial commit

Browse Source
This commit is contained in:
Tanguy Duhamel
2025-09-29 21:26:41 +02:00
parent f0fd367ed8
commit 323a434c73
208 changed files with 72069 additions and 53 deletions
Download Patch File Download Diff File Expand all files Collapse all files
test_projects/README.md
+89
View File
@@ -0,0 +1,89 @@
# FuzzForge Vulnerable Test Project
This directory contains a comprehensive vulnerable test application designed to validate FuzzForge's security workflows. The project contains multiple categories of security vulnerabilities to test both the `security_assessment` and `secret_detection_scan` workflows.
## Test Project Overview
### Vulnerable Application (`vulnerable_app/`)
**Purpose**: Comprehensive vulnerable application for testing security workflows
**Supported Workflows**:
- `security_assessment` - General security scanning and analysis
- `secret_detection_scan` - Detection of secrets, credentials, and sensitive data
**Vulnerabilities Included**:
- SQL injection vulnerabilities
- Command injection
- Hardcoded secrets and credentials
- Path traversal vulnerabilities
- Weak cryptographic functions
- Server-side template injection (SSTI)
- Pickle deserialization attacks
- CSRF missing protection
- Information disclosure
- API keys and tokens
- Database connection strings
- Private keys and certificates
**Files**:
- Multiple source code files with various vulnerability types
- Configuration files with embedded secrets
- Dependencies with known vulnerabilities
**Expected Detections**: 30+ findings across both security assessment and secret detection workflows
---
## Usage Instructions
### Testing with FuzzForge Workflows
The vulnerable application can be tested with both essential workflows:
```bash
# Test security assessment workflow
curl -X POST http://localhost:8000/workflows/security_assessment/submit \
-H "Content-Type: application/json" \
-d '{
"target_path": "/path/to/test_projects/vulnerable_app",
"volume_mode": "ro"
}'
# Test secret detection workflow
curl -X POST http://localhost:8000/workflows/secret_detection_scan/submit \
-H "Content-Type: application/json" \
-d '{
"target_path": "/path/to/test_projects/vulnerable_app",
"volume_mode": "ro"
}'
```
### Expected Results
Each workflow should produce SARIF-formatted results with:
- High-severity findings for critical vulnerabilities
- Medium-severity findings for moderate risks
- Detailed descriptions and remediation guidance
- Code flow information where applicable
### Validation Criteria
A successful test should detect:
- **Security Assessment**: At least 20 various security vulnerabilities
- **Secret Detection**: At least 10 different types of secrets and credentials
---
## Security Notice
⚠️ **WARNING**: This project contains intentional security vulnerabilities and should NEVER be deployed in production environments or exposed to public networks. It is designed solely for security testing and validation purposes.
## File Structure
```
test_projects/
├── README.md
└── vulnerable_app/
├── [Multiple vulnerable source files]
├── [Configuration files with secrets]
└── [Dependencies with known issues]
```
test_projects/vulnerable_app/.github/workflows/deploy.yml
Vendored
+37
View File
@@ -0,0 +1,37 @@
name: Deploy to Production
on:
push:
branches: [ main ]
jobs:
deploy:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v2
- name: Deploy to server
env:
# Hardcoded secrets in workflow
SSH_PRIVATE_KEY: |
-----BEGIN RSA PRIVATE KEY-----
MIIEpAIBAAKCAQEA1234567890abcdefghijklmnopqrstuvwxyz
ABCDEFGHIJKLMNOPQRSTUVWXYZ1234567890abcdefghijklmnop
-----END RSA PRIVATE KEY-----
SERVER_PASSWORD: ProductionServerPass123!
API_KEY: api_1234567890abcdefghijklmnopqrstuvwxyz
AWS_ACCESS_KEY: AKIAIOSFODNN7EXAMPLE
AWS_SECRET_KEY: wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY
run: |
echo "Deploying with hardcoded credentials"
echo "$SSH_PRIVATE_KEY" > deploy_key
chmod 600 deploy_key
- name: Database migration
run: |
mysql -h production.db.com -u root -pRootPassword123! < migration.sql
- name: Sync files
run: |
rsync -avz -e "sshpass -p 'ServerPassword456!' ssh" ./dist/ user@production:/var/www/
test_projects/vulnerable_app/README.md
+95
View File
@@ -0,0 +1,95 @@
# Vulnerable Test Application
This is a **TEST PROJECT** designed to trigger security findings in the FuzzForge security assessment workflow.
⚠️ **WARNING**: This application contains intentional security vulnerabilities for testing purposes only. DO NOT use any of this code in production!
## Vulnerabilities Included
### Hardcoded Secrets
- Database passwords
- API keys (AWS, Stripe, GitHub, etc.)
- JWT secrets
- Private keys (RSA, Bitcoin, Ethereum)
- OAuth tokens
### Code Injection
- `eval()` usage in multiple languages
- `exec()` and `system()` calls
- Dynamic function creation
- Template injection
### SQL Injection
- String concatenation in queries
- String formatting in SQL
- Dynamic query building
- Parameterless queries
### Command Injection
- Unsanitized user input in system commands
- Shell execution with user data
- Subprocess calls with shell=True
### Path Traversal
- Unvalidated file paths
- Directory traversal patterns
- Insecure file operations
### Other Vulnerabilities
- XSS vulnerabilities
- Insecure deserialization
- Weak cryptography (MD5, weak random)
- CORS misconfigurations
- Debug mode enabled
## Files Overview
- `src/` - Source code with various vulnerabilities
- `database.py` - Python with SQL injection and hardcoded secrets
- `api_handler.py` - Python with eval and command injection
- `utils.rb` - Ruby vulnerabilities
- `Main.java` - Java security issues
- `app.go` - Go vulnerabilities
- `scripts/` - Script files
- `deploy.php` - PHP vulnerabilities
- `backup.js` - JavaScript security issues
- `config/` - Configuration files
- `settings.py` - Hardcoded credentials
- `database.yaml` - Database passwords
- `.env` - Environment file with secrets
- `private_key.pem` - Private key file
- `wallet.json` - Cryptocurrency wallets
- `.github/workflows/` - CI/CD with hardcoded secrets
## Expected Findings
When running the security assessment workflow, you should see:
- Multiple hardcoded secrets detected
- SQL injection vulnerabilities
- Command injection risks
- Dangerous function usage
- Sensitive file discoveries
## Testing
To test with FuzzForge:
```bash
curl -X POST "http://localhost:8000/workflows/security_assessment/submit" \
-H "Content-Type: application/json" \
-d '{
"target_path": "/path/to/test_projects/vulnerable_app",
"volume_mode": "ro",
"parameters": {
"scanner_config": {"check_sensitive": true},
"analyzer_config": {"check_secrets": true, "check_sql": true}
}
}'
```
## Note
This is purely for testing security scanning capabilities. All credentials and keys are fake/example values.
test_projects/vulnerable_app/app.py
+54
View File
@@ -0,0 +1,54 @@
#!/usr/bin/env python3
# Copyright (c) 2025 FuzzingLabs
#
# Licensed under the Business Source License 1.1 (BSL). See the LICENSE file
# at the root of this repository for details.
#
# After the Change Date (four years from publication), this version of the
# Licensed Work will be made available under the Apache License, Version 2.0.
# See the LICENSE-APACHE file or http://www.apache.org/licenses/LICENSE-2.0
#
# Additional attribution and requirements are provided in the NOTICE file.
"""
Test vulnerable application for FuzzForge security scanning.
Contains intentional security vulnerabilities for testing purposes.
"""
import os
import subprocess
import sqlite3
# Hardcoded secrets (for secret detection testing)
API_KEY = "sk-1234567890abcdef1234567890abcdef"
DATABASE_PASSWORD = "admin123"
JWT_SECRET = "my-super-secret-jwt-key-dont-tell-anyone"
def unsafe_sql_query(user_id):
"""SQL injection vulnerability"""
conn = sqlite3.connect("test.db")
cursor = conn.cursor()
# Vulnerable: direct string interpolation
query = f"SELECT * FROM users WHERE id = {user_id}"
cursor.execute(query)
return cursor.fetchall()
def unsafe_command_execution(filename):
"""Command injection vulnerability"""
# Vulnerable: unsanitized user input in shell command
result = subprocess.run(f"ls -la {filename}", shell=True, capture_output=True)
return result.stdout
def unsafe_file_access(filepath):
"""Path traversal vulnerability"""
# Vulnerable: no path validation
with open(f"/var/app/uploads/{filepath}", "r") as f:
return f.read()
def main():
"""Main application function"""
print("Vulnerable app started")
print(f"Using API key: {API_KEY}")
if __name__ == "__main__":
main()
test_projects/vulnerable_app/config/database.yaml
+58
View File
@@ -0,0 +1,58 @@
# Database configuration with sensitive information
production:
adapter: postgresql
host: production-db.example.com
port: 5432
database: production_database
username: postgres
password: ProductionPassword123!
pool: 10
staging:
adapter: mysql
host: staging-db.example.com
port: 3306
database: staging_database
username: root
password: StagingPassword456!
development:
adapter: sqlite3
database: db/development.sqlite3
# Redis configuration
redis:
host: redis.example.com
port: 6379
password: RedisPassword789!
db: 0
# MongoDB configuration
mongodb:
connection_string: mongodb://admin:MongoAdminPass@mongo.example.com:27017/admin
database: myapp_production
# Elasticsearch
elasticsearch:
host: elastic.example.com
port: 9200
username: elastic
password: ElasticPassword321!
# API endpoints with keys
external_apis:
payment_gateway:
url: https://api.payment.com
api_key: pk_live_1234567890abcdefghijklmnop
secret_key: sk_live_0987654321zyxwvutsrqponmlk
email_service:
smtp_host: smtp.sendgrid.net
smtp_port: 587
username: apikey
password: SG.1234567890.abcdefghijklmnopqrstuvwxyz-1234567890
sms_service:
account_sid: AC1234567890abcdefghijklmnopqrstuv
auth_token: 1234567890abcdefghijklmnopqrstuvw
phone_number: "+1234567890"
test_projects/vulnerable_app/config/settings.py
+55
View File
@@ -0,0 +1,55 @@
"""
Application settings with sensitive configuration
"""
# Copyright (c) 2025 FuzzingLabs
#
# Licensed under the Business Source License 1.1 (BSL). See the LICENSE file
# at the root of this repository for details.
#
# After the Change Date (four years from publication), this version of the
# Licensed Work will be made available under the Apache License, Version 2.0.
# See the LICENSE-APACHE file or http://www.apache.org/licenses/LICENSE-2.0
#
# Additional attribution and requirements are provided in the NOTICE file.
# Database configuration with passwords
DATABASE_CONFIG = {
'host': 'db.production.internal',
'port': 5432,
'username': 'postgres',
'password': 'postgres_password_123', # Hardcoded password
'database': 'production_db'
}
# API Keys and tokens
GITHUB_TOKEN = "ghp_1234567890abcdef1234567890abcdef123456"
GITLAB_TOKEN = "glpat-1234567890abcdefghij"
SLACK_WEBHOOK = "https://hooks.slack.com/services/T00000000/B00000000/XXXXXXXXXXXXXXXXXXXX"
SENDGRID_API_KEY = "SG.1234567890.abcdefghijklmnopqrstuvwxyz"
# OAuth credentials
OAUTH_CLIENT_ID = "1234567890-abcdefghijklmnopqrstuvwxyz.apps.googleusercontent.com"
OAUTH_CLIENT_SECRET = "GOCSPX-1234567890abcdefghijklmn"
# Encryption keys
ENCRYPTION_KEY = "ThisIsAVerySecretEncryptionKey123!"
JWT_SECRET = "super_secret_jwt_key_do_not_share"
# Cloud provider credentials
AZURE_STORAGE_KEY = "DefaultEndpointsProtocol=https;AccountName=storage;AccountKey=1234567890abcdefghijklmnopqrstuvwxyz==;EndpointSuffix=core.windows.net"
GCP_SERVICE_ACCOUNT = {
"type": "service_account",
"project_id": "my-project",
"private_key": "-----BEGIN PRIVATE KEY-----\nMIIEvQIBADANBgkq...fake...key\n-----END PRIVATE KEY-----",
"client_email": "service@project.iam.gserviceaccount.com"
}
# Payment provider keys
PAYPAL_CLIENT_ID = "AZDxjDScFpQtjWTOUtWKbyN_bDt4OgqaF4eYXlewfBP4-8aqX3PiV8e1GWU6liB2CUXlkA59kJXE7M6R"
PAYPAL_CLIENT_SECRET = "EGnHDxD_qRPdaLdZz8iCr8N7_MzF-YHPTkjs6NKYQvQSBngp4PTTVWkPZRbL"
# Dangerous configuration
DEBUG = True # Debug mode enabled in production
ALLOW_ALL_ORIGINS = "*" # CORS vulnerability
USE_SSL = False # SSL disabled
test_projects/vulnerable_app/findings-53e5d63f.json
+675
View File
@@ -0,0 +1,675 @@
{
"tool": {
"name": "FuzzForge Security Assessment",
"version": "1.0.0"
},
"summary": {
"total_issues": 66,
"by_severity": {
"warning": 49,
"error": 17
}
},
"findings": [
{
"rule_id": "sensitive_file_medium",
"severity": "warning",
"message": "Found potentially sensitive file at private_key.pem",
"location": {
"file": "private_key.pem",
"line": null,
"column": null
}
},
{
"rule_id": "sensitive_file_medium",
"severity": "warning",
"message": "Found potentially sensitive file at wallet.json",
"location": {
"file": "wallet.json",
"line": null,
"column": null
}
},
{
"rule_id": "sensitive_file_medium",
"severity": "warning",
"message": "Found potentially sensitive file at .npmrc",
"location": {
"file": ".npmrc",
"line": null,
"column": null
}
},
{
"rule_id": "sensitive_file_medium",
"severity": "warning",
"message": "Found potentially sensitive file at .env",
"location": {
"file": ".env",
"line": null,
"column": null
}
},
{
"rule_id": "sensitive_file_medium",
"severity": "warning",
"message": "Found potentially sensitive file at .git-credentials",
"location": {
"file": ".git-credentials",
"line": null,
"column": null
}
},
{
"rule_id": "sensitive_file_medium",
"severity": "warning",
"message": "Found potentially sensitive file at data/api_keys.txt",
"location": {
"file": "data/api_keys.txt",
"line": null,
"column": null
}
},
{
"rule_id": "sensitive_file_medium",
"severity": "warning",
"message": "Found potentially sensitive file at data/credentials.json",
"location": {
"file": "data/credentials.json",
"line": null,
"column": null
}
},
{
"rule_id": "sensitive_file_medium",
"severity": "warning",
"message": "Found potentially sensitive file at .fuzzforge/.env",
"location": {
"file": ".fuzzforge/.env",
"line": null,
"column": null
}
},
{
"rule_id": "sql_injection_high",
"severity": "error",
"message": "Detected potential SQL injection vulnerability via F-string in SQL query",
"location": {
"file": "app.py",
"line": 21,
"column": null
}
},
{
"rule_id": "hardcoded_secret_high",
"severity": "error",
"message": "Found potential hardcoded API Key in src/api_handler.py",
"location": {
"file": "src/api_handler.py",
"line": 13,
"column": null
}
},
{
"rule_id": "hardcoded_secret_medium",
"severity": "warning",
"message": "Found potential hardcoded Authentication Token in src/api_handler.py",
"location": {
"file": "src/api_handler.py",
"line": 9,
"column": null
}
},
{
"rule_id": "dangerous_function_medium",
"severity": "warning",
"message": "Use of potentially dangerous function eval(): Arbitrary code execution",
"location": {
"file": "src/api_handler.py",
"line": 22,
"column": null
}
},
{
"rule_id": "dangerous_function_medium",
"severity": "warning",
"message": "Use of potentially dangerous function eval(): Arbitrary code execution",
"location": {
"file": "src/api_handler.py",
"line": 42,
"column": null
}
},
{
"rule_id": "dangerous_function_medium",
"severity": "warning",
"message": "Use of potentially dangerous function exec(): Arbitrary code execution",
"location": {
"file": "src/api_handler.py",
"line": 37,
"column": null
}
},
{
"rule_id": "dangerous_function_medium",
"severity": "warning",
"message": "Use of potentially dangerous function os.system(): Command injection risk",
"location": {
"file": "src/api_handler.py",
"line": 32,
"column": null
}
},
{
"rule_id": "dangerous_function_medium",
"severity": "warning",
"message": "Use of potentially dangerous function os.system(): Command injection risk",
"location": {
"file": "src/api_handler.py",
"line": 59,
"column": null
}
},
{
"rule_id": "dangerous_function_medium",
"severity": "warning",
"message": "Use of potentially dangerous function subprocess with shell=True: Command injection risk",
"location": {
"file": "src/api_handler.py",
"line": 27,
"column": null
}
},
{
"rule_id": "sql_injection_high",
"severity": "error",
"message": "Detected potential SQL injection vulnerability via String concatenation in SQL",
"location": {
"file": "src/database.py",
"line": 31,
"column": null
}
},
{
"rule_id": "sql_injection_high",
"severity": "error",
"message": "Detected potential SQL injection vulnerability via String formatting in SQL",
"location": {
"file": "src/database.py",
"line": 38,
"column": null
}
},
{
"rule_id": "sql_injection_high",
"severity": "error",
"message": "Detected potential SQL injection vulnerability via String formatting in SQL",
"location": {
"file": "src/database.py",
"line": 45,
"column": null
}
},
{
"rule_id": "sql_injection_high",
"severity": "error",
"message": "Detected potential SQL injection vulnerability via F-string in SQL query",
"location": {
"file": "src/database.py",
"line": 38,
"column": null
}
},
{
"rule_id": "sql_injection_high",
"severity": "error",
"message": "Detected potential SQL injection vulnerability via Dynamic query building",
"location": {
"file": "src/database.py",
"line": 31,
"column": null
}
},
{
"rule_id": "sql_injection_high",
"severity": "error",
"message": "Detected potential SQL injection vulnerability via Dynamic query building",
"location": {
"file": "src/database.py",
"line": 63,
"column": null
}
},
{
"rule_id": "dangerous_function_medium",
"severity": "warning",
"message": "Use of potentially dangerous function os.system(): Command injection risk",
"location": {
"file": "src/database.py",
"line": 57,
"column": null
}
},
{
"rule_id": "dangerous_function_medium",
"severity": "warning",
"message": "Use of potentially dangerous function pickle.load(): Deserialization vulnerability",
"location": {
"file": "src/database.py",
"line": 52,
"column": null
}
},
{
"rule_id": "hardcoded_secret_high",
"severity": "error",
"message": "Found potential hardcoded Private Key in scripts/backup.js",
"location": {
"file": "scripts/backup.js",
"line": 81,
"column": null
}
},
{
"rule_id": "hardcoded_secret_medium",
"severity": "warning",
"message": "Found potential hardcoded Potential Secret Hash in scripts/backup.js",
"location": {
"file": "scripts/backup.js",
"line": 81,
"column": null
}
},
{
"rule_id": "dangerous_function_medium",
"severity": "warning",
"message": "Use of potentially dangerous function eval(): Arbitrary code execution",
"location": {
"file": "scripts/backup.js",
"line": 23,
"column": null
}
},
{
"rule_id": "dangerous_function_medium",
"severity": "warning",
"message": "Use of potentially dangerous function new Function(): Arbitrary code execution",
"location": {
"file": "scripts/backup.js",
"line": 28,
"column": null
}
},
{
"rule_id": "dangerous_function_medium",
"severity": "warning",
"message": "Use of potentially dangerous function innerHTML: XSS vulnerability",
"location": {
"file": "scripts/backup.js",
"line": 33,
"column": null
}
},
{
"rule_id": "dangerous_function_medium",
"severity": "warning",
"message": "Use of potentially dangerous function innerHTML: XSS vulnerability",
"location": {
"file": "scripts/backup.js",
"line": 37,
"column": null
}
},
{
"rule_id": "dangerous_function_medium",
"severity": "warning",
"message": "Use of potentially dangerous function document.write(): XSS vulnerability",
"location": {
"file": "scripts/backup.js",
"line": 42,
"column": null
}
},
{
"rule_id": "hardcoded_secret_high",
"severity": "error",
"message": "Found potential hardcoded Private Key in src/Main.java",
"location": {
"file": "src/Main.java",
"line": 77,
"column": null
}
},
{
"rule_id": "sql_injection_high",
"severity": "error",
"message": "Detected potential SQL injection vulnerability via String concatenation in SQL",
"location": {
"file": "src/Main.java",
"line": 23,
"column": null
}
},
{
"rule_id": "sql_injection_high",
"severity": "error",
"message": "Detected potential SQL injection vulnerability via String concatenation in SQL",
"location": {
"file": "src/Main.java",
"line": 29,
"column": null
}
},
{
"rule_id": "sql_injection_high",
"severity": "error",
"message": "Detected potential SQL injection vulnerability via Dynamic query building",
"location": {
"file": "src/Main.java",
"line": 23,
"column": null
}
},
{
"rule_id": "sql_injection_high",
"severity": "error",
"message": "Detected potential SQL injection vulnerability via Dynamic query building",
"location": {
"file": "src/Main.java",
"line": 29,
"column": null
}
},
{
"rule_id": "dangerous_function_medium",
"severity": "warning",
"message": "Use of potentially dangerous function eval(): Arbitrary code execution",
"location": {
"file": "scripts/deploy.php",
"line": 28,
"column": null
}
},
{
"rule_id": "dangerous_function_medium",
"severity": "warning",
"message": "Use of potentially dangerous function exec(): Command execution",
"location": {
"file": "scripts/deploy.php",
"line": 22,
"column": null
}
},
{
"rule_id": "dangerous_function_medium",
"severity": "warning",
"message": "Use of potentially dangerous function exec(): Command execution",
"location": {
"file": "scripts/deploy.php",
"line": 23,
"column": null
}
},
{
"rule_id": "dangerous_function_medium",
"severity": "warning",
"message": "Use of potentially dangerous function system(): Command execution",
"location": {
"file": "scripts/deploy.php",
"line": 21,
"column": null
}
},
{
"rule_id": "dangerous_function_medium",
"severity": "warning",
"message": "Use of potentially dangerous function shell_exec(): Command execution",
"location": {
"file": "scripts/deploy.php",
"line": 23,
"column": null
}
},
{
"rule_id": "dangerous_function_medium",
"severity": "warning",
"message": "Use of potentially dangerous function Direct $_GET usage: Input validation missing",
"location": {
"file": "scripts/deploy.php",
"line": 12,
"column": null
}
},
{
"rule_id": "dangerous_function_medium",
"severity": "warning",
"message": "Use of potentially dangerous function Direct $_GET usage: Input validation missing",
"location": {
"file": "scripts/deploy.php",
"line": 21,
"column": null
}
},
{
"rule_id": "dangerous_function_medium",
"severity": "warning",
"message": "Use of potentially dangerous function Direct $_GET usage: Input validation missing",
"location": {
"file": "scripts/deploy.php",
"line": 23,
"column": null
}
},
{
"rule_id": "dangerous_function_medium",
"severity": "warning",
"message": "Use of potentially dangerous function Direct $_GET usage: Input validation missing",
"location": {
"file": "scripts/deploy.php",
"line": 24,
"column": null
}
},
{
"rule_id": "dangerous_function_medium",
"severity": "warning",
"message": "Use of potentially dangerous function Direct $_GET usage: Input validation missing",
"location": {
"file": "scripts/deploy.php",
"line": 31,
"column": null
}
},
{
"rule_id": "dangerous_function_medium",
"severity": "warning",
"message": "Use of potentially dangerous function Direct $_GET usage: Input validation missing",
"location": {
"file": "scripts/deploy.php",
"line": 45,
"column": null
}
},
{
"rule_id": "dangerous_function_medium",
"severity": "warning",
"message": "Use of potentially dangerous function Direct $_GET usage: Input validation missing",
"location": {
"file": "scripts/deploy.php",
"line": 50,
"column": null
}
},
{
"rule_id": "dangerous_function_medium",
"severity": "warning",
"message": "Use of potentially dangerous function Direct $_GET usage: Input validation missing",
"location": {
"file": "scripts/deploy.php",
"line": 57,
"column": null
}
},
{
"rule_id": "dangerous_function_medium",
"severity": "warning",
"message": "Use of potentially dangerous function Direct $_POST usage: Input validation missing",
"location": {
"file": "scripts/deploy.php",
"line": 13,
"column": null
}
},
{
"rule_id": "dangerous_function_medium",
"severity": "warning",
"message": "Use of potentially dangerous function Direct $_POST usage: Input validation missing",
"location": {
"file": "scripts/deploy.php",
"line": 22,
"column": null
}
},
{
"rule_id": "dangerous_function_medium",
"severity": "warning",
"message": "Use of potentially dangerous function Direct $_POST usage: Input validation missing",
"location": {
"file": "scripts/deploy.php",
"line": 27,
"column": null
}
},
{
"rule_id": "dangerous_function_medium",
"severity": "warning",
"message": "Use of potentially dangerous function Direct $_POST usage: Input validation missing",
"location": {
"file": "scripts/deploy.php",
"line": 32,
"column": null
}
},
{
"rule_id": "dangerous_function_medium",
"severity": "warning",
"message": "Use of potentially dangerous function Direct $_POST usage: Input validation missing",
"location": {
"file": "scripts/deploy.php",
"line": 40,
"column": null
}
},
{
"rule_id": "dangerous_function_medium",
"severity": "warning",
"message": "Use of potentially dangerous function Direct $_POST usage: Input validation missing",
"location": {
"file": "scripts/deploy.php",
"line": 46,
"column": null
}
},
{
"rule_id": "dangerous_function_medium",
"severity": "warning",
"message": "Use of potentially dangerous function Direct $_POST usage: Input validation missing",
"location": {
"file": "scripts/deploy.php",
"line": 53,
"column": null
}
},
{
"rule_id": "dangerous_function_medium",
"severity": "warning",
"message": "Use of potentially dangerous function Direct $_POST usage: Input validation missing",
"location": {
"file": "scripts/deploy.php",
"line": 54,
"column": null
}
},
{
"rule_id": "dangerous_function_medium",
"severity": "warning",
"message": "Use of potentially dangerous function Direct $_POST usage: Input validation missing",
"location": {
"file": "scripts/deploy.php",
"line": 61,
"column": null
}
},
{
"rule_id": "dangerous_function_medium",
"severity": "warning",
"message": "Use of potentially dangerous function Direct $_POST usage: Input validation missing",
"location": {
"file": "scripts/deploy.php",
"line": 62,
"column": null
}
},
{
"rule_id": "hardcoded_secret_high",
"severity": "error",
"message": "Found potential hardcoded API Key in src/utils.rb",
"location": {
"file": "src/utils.rb",
"line": 64,
"column": null
}
},
{
"rule_id": "hardcoded_secret_medium",
"severity": "warning",
"message": "Found potential hardcoded Hardcoded Password in src/utils.rb",
"location": {
"file": "src/utils.rb",
"line": 63,
"column": null
}
},
{
"rule_id": "hardcoded_secret_high",
"severity": "error",
"message": "Found potential hardcoded Private Key in src/app.go",
"location": {
"file": "src/app.go",
"line": 59,
"column": null
}
},
{
"rule_id": "hardcoded_secret_high",
"severity": "error",
"message": "Found potential hardcoded Private Key in src/app.go",
"location": {
"file": "src/app.go",
"line": 62,
"column": null
}
},
{
"rule_id": "hardcoded_secret_medium",
"severity": "warning",
"message": "Found potential hardcoded Potential Secret Hash in src/app.go",
"location": {
"file": "src/app.go",
"line": 59,
"column": null
}
},
{
"rule_id": "hardcoded_secret_medium",
"severity": "warning",
"message": "Found potential hardcoded Potential Secret Hash in src/app.go",
"location": {
"file": "src/app.go",
"line": 62,
"column": null
}
}
]
}
test_projects/vulnerable_app/findings-e34d6450.sarif
+2548
View File
File diff suppressed because it is too large Load Diff
test_projects/vulnerable_app/requirements.txt
+3
View File
@@ -0,0 +1,3 @@
flask==2.3.0
requests==2.28.0
sqlite3
test_projects/vulnerable_app/scripts/backup.js
+88
View File
@@ -0,0 +1,88 @@
/**
* Backup script with JavaScript security vulnerabilities
*/
// Hardcoded API keys and secrets
const API_KEY = "api_key_1234567890abcdefghijklmnopqrstuvwxyz";
const SECRET_KEY = "secret_1234567890abcdefghijklmnopqrstuvwxyz";
const MONGODB_URI = "mongodb://admin:password123@localhost:27017/mydb";
const REDIS_PASSWORD = "redis_password_123456";
// Firebase configuration with keys
const firebaseConfig = {
apiKey: "AIzaSyDOCAbC123dEf456GhI789jKl01-MnO",
authDomain: "myapp.firebaseapp.com",
projectId: "myapp-12345",
storageBucket: "myapp.appspot.com",
messagingSenderId: "123456789",
appId: "1:123456789:web:ab123cd456ef789gh012ij"
};
// Dangerous eval usage
function executeCode(userInput) {
eval(userInput); // Code injection vulnerability
}
// Dynamic function creation
function createFunction(code) {
return new Function(code); // Code injection vulnerability
}
// XSS vulnerabilities
function displayMessage(message) {
document.body.innerHTML = message; // XSS vulnerability
}
function updateContent(html) {
document.getElementById('content').innerHTML = html; // XSS vulnerability
}
// Insecure data handling
function processUserData(data) {
document.write(data); // XSS vulnerability
}
// Command injection via child_process
const { exec } = require('child_process');
function runCommand(userInput) {
exec('ls ' + userInput, (error, stdout, stderr) => { // Command injection
console.log(stdout);
});
}
// SQL injection in Node.js
function getUserData(userId) {
const query = `SELECT * FROM users WHERE id = ${userId}`; // SQL injection
db.query(query);
}
// Path traversal
const fs = require('fs');
function readFile(filename) {
return fs.readFileSync('../../../' + filename); // Path traversal
}
// Insecure randomness
function generateToken() {
return Math.random().toString(36); // Weak randomness
}
// Hardcoded JWT secret
const jwt = require('jsonwebtoken');
const JWT_SECRET = 'my-super-secret-jwt-key';
function createToken(payload) {
return jwt.sign(payload, JWT_SECRET);
}
// Bitcoin private key (example)
const BITCOIN_PRIVATE_KEY = "5KJvsngHeMpm884wtkJNzQGaCErckhHJBGFsvd3VyK5qMZXj3hS";
// Ethereum private key
const ETH_PRIVATE_KEY = "0x1234567890abcdef1234567890abcdef1234567890abcdef1234567890abcdef";
// AWS credentials in code
process.env.AWS_ACCESS_KEY_ID = "AKIAIOSFODNN7EXAMPLE";
process.env.AWS_SECRET_ACCESS_KEY = "wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY";
test_projects/vulnerable_app/scripts/deploy.php
+68
View File
@@ -0,0 +1,68 @@
<?php
/**
* Deployment script with multiple security issues
*/
// Hardcoded credentials
$db_password = "admin123";
$api_token = "token_1234567890abcdefghijklmnop";
$ssh_key = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQ...";
// Direct use of $_GET and $_POST without validation
$user_id = $_GET['id'];
$username = $_POST['username'];
$action = $_REQUEST['action'];
// SQL injection vulnerability
$query = "SELECT * FROM users WHERE id = $user_id";
mysql_query($query);
// Command execution vulnerabilities
system("ls -la " . $_GET['directory']);
exec("cat " . $_POST['file']);
shell_exec("ping " . $_GET['host']);
passthru("ps aux | grep " . $_GET['process']);
// Dangerous eval usage
$code = $_POST['code'];
eval($code); // Code execution vulnerability
// File inclusion vulnerabilities
include($_GET['page'] . '.php');
require_once($_POST['template']);
// Insecure file operations
$uploaded_file = $_FILES['upload']['tmp_name'];
$destination = "/var/www/uploads/" . $_FILES['upload']['name'];
move_uploaded_file($uploaded_file, $destination); // No validation
// More SQL injection patterns
$search = $_POST['search'];
$sql = "SELECT * FROM products WHERE name LIKE '%$search%'";
$result = mysql_query($sql);
// XSS vulnerability
echo "Welcome, " . $_GET['name'];
print("Your search: " . $_POST['query']);
// Session hijacking vulnerability
session_start();
$_SESSION['user'] = $_GET['user'];
// Weak cryptography
$password = md5($_POST['password']); // Weak hashing
$encrypted = base64_encode($_POST['sensitive_data']); // Not encryption
// Directory traversal
$file = $_GET['file'];
readfile("/var/www/html/" . $file);
// MongoDB injection
$username = $_POST['username'];
$password = $_POST['password'];
$query = array(
"username" => $username,
"password" => $password
);
?>
test_projects/vulnerable_app/src/Main.java
+78
View File
@@ -0,0 +1,78 @@
import java.sql.*;
import java.io.*;
import java.util.*;
public class Main {
// Hardcoded database credentials
private static final String DB_URL = "jdbc:mysql://localhost:3306/production";
private static final String DB_USER = "admin";
private static final String DB_PASSWORD = "JavaDBPassword123!";
// API Keys
private static final String API_KEY = "sk-proj-1234567890abcdefghijklmnopqrstuvwxyz";
private static final String SECRET_TOKEN = "secret_token_abcdef1234567890";
private static final String AWS_ACCESS = "AKIAIOSFODNN7EXAMPLE";
private static final String AWS_SECRET = "wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY";
public class VulnerableApp {
// SQL Injection vulnerability
public void getUserById(String userId) throws SQLException {
Connection conn = DriverManager.getConnection(DB_URL, DB_USER, DB_PASSWORD);
Statement stmt = conn.createStatement();
String query = "SELECT * FROM users WHERE id = " + userId; // SQL injection
ResultSet rs = stmt.executeQuery(query);
}
// Another SQL injection with string concatenation
public void searchProducts(String searchTerm) throws SQLException {
String query = "SELECT * FROM products WHERE name LIKE '%" + searchTerm + "%'";
// Vulnerable to SQL injection
}
// Command injection vulnerability
public void executeCommand(String filename) throws IOException {
Runtime.getRuntime().exec("cat " + filename); // Command injection
}
// Path traversal vulnerability
public void readFile(String filename) throws IOException {
File file = new File("/var/www/uploads/" + filename); // Path traversal
FileInputStream fis = new FileInputStream(file);
}
// XXE vulnerability
public void parseXML(String xmlInput) {
// XML parsing without disabling external entities
DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance();
// Vulnerable to XXE attacks
}
// Insecure deserialization
public Object deserialize(byte[] data) throws Exception {
ByteArrayInputStream bis = new ByteArrayInputStream(data);
ObjectInputStream ois = new ObjectInputStream(bis);
return ois.readObject(); // Insecure deserialization
}
// Weak cryptography
public String hashPassword(String password) {
MessageDigest md = MessageDigest.getInstance("MD5"); // Weak hashing
return new String(md.digest(password.getBytes()));
}
// Hardcoded encryption key
private static final String ENCRYPTION_KEY = "MySecretEncryptionKey123";
// LDAP injection
public void authenticateUser(String username, String password) {
String filter = "(uid=" + username + ")"; // LDAP injection
// Vulnerable LDAP query
}
}
// More hardcoded secrets
private static final String STRIPE_KEY = "sk_live_4eC39HqLyjWDarjtT1zdp7dc";
private static final String GITHUB_TOKEN = "ghp_1234567890abcdefghijklmnopqrstuvwxyz";
private static final String PRIVATE_KEY = "-----BEGIN RSA PRIVATE KEY-----\nMIIEpAIBAAKCAQ...";
}
test_projects/vulnerable_app/src/api_handler.py
+71
View File
@@ -0,0 +1,71 @@
"""
API handler with various security vulnerabilities
"""
# Copyright (c) 2025 FuzzingLabs
#
# Licensed under the Business Source License 1.1 (BSL). See the LICENSE file
# at the root of this repository for details.
#
# After the Change Date (four years from publication), this version of the
# Licensed Work will be made available under the Apache License, Version 2.0.
# See the LICENSE-APACHE file or http://www.apache.org/licenses/LICENSE-2.0
#
# Additional attribution and requirements are provided in the NOTICE file.
import os
import subprocess
import jwt
# More hardcoded secrets
SECRET_TOKEN = "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c"
PRIVATE_KEY = """-----BEGIN RSA PRIVATE KEY-----
MIIEpAIBAAKCAQEA0Z7VS5JJ...fake...private...key
-----END RSA PRIVATE KEY-----"""
STRIPE_API_KEY = "sk_live_4eC39HqLyjWDarjtT1zdp7dc"
class APIHandler:
def __init__(self):
self.token = SECRET_TOKEN
def process_user_input(self, user_data):
"""Dangerous eval usage - code injection"""
# This is extremely dangerous!
result = eval(user_data) # Code injection vulnerability
return result
def execute_command(self, command):
"""Command injection via subprocess with shell=True"""
result = subprocess.call(command, shell=True) # Command injection risk
return result
def run_system_command(self, filename):
"""Another command injection vulnerability"""
os.system("cat " + filename) # Command injection
def process_template(self, template_string, data):
"""Template injection vulnerability"""
compiled = compile(template_string, '<string>', 'exec')
exec(compiled, data) # Code execution vulnerability
return data
def generate_dynamic_function(self, code):
"""Dynamic function creation - code injection"""
func = eval(f"lambda x: {code}") # Dangerous eval
return func
def authenticate_user(self, token):
"""JWT token in code"""
decoded = jwt.decode(token, SECRET_TOKEN, algorithms=["HS256"])
return decoded
def get_file_contents(self, filepath):
"""Path traversal vulnerability"""
# No validation of filepath - could access any file
with open(filepath, 'r') as f:
return f.read()
def log_user_action(self, user_input):
"""Log injection vulnerability"""
log_message = f"User action: {user_input}"
os.system(f"echo '{log_message}' >> /var/log/app.log") # Command injection via logs
test_projects/vulnerable_app/src/app.go
+80
View File
@@ -0,0 +1,80 @@
package main
import (
"database/sql"
"fmt"
"os/exec"
"net/http"
)
// Hardcoded credentials and secrets
const (
DBPassword = "GoDBPassword123!"
APIKey = "api_key_golang_1234567890abcdefghij"
JWTSecret = "super_secret_jwt_key_golang"
AWSAccessKey = "AKIAIOSFODNN7EXAMPLE"
AWSSecretKey = "wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY"
StripeAPIKey = "sk_test_4eC39HqLyjWDarjtT1zdp7dc"
SlackWebhook = "https://hooks.slack.com/services/T00000000/B00000000/XXXXXXXXXXXXXXXXXXXX"
)
// Private keys
var privateKey = `-----BEGIN RSA PRIVATE KEY-----
MIIEowIBAAKCAQEA4f5wg5l2iFFGH3FakeKeyForTesting1234567890
-----END RSA PRIVATE KEY-----`
type App struct {
db *sql.DB
}
// SQL Injection vulnerability
func (a *App) GetUser(userID string) {
query := fmt.Sprintf("SELECT * FROM users WHERE id = %s", userID) // SQL injection
rows, _ := a.db.Query(query)
defer rows.Close()
}
// Another SQL injection
func (a *App) SearchProducts(search string) {
query := "SELECT * FROM products WHERE name LIKE '%" + search + "%'" // SQL injection
a.db.Query(query)
}
// Command injection
func ExecuteCommand(input string) {
cmd := exec.Command("sh", "-c", "echo "+input) // Command injection
cmd.Run()
}
// Path traversal
func ReadFile(filename string) {
path := "/var/www/uploads/" + filename // Path traversal vulnerability
// Read file without validation
}
// Hardcoded MongoDB connection string
const MongoDBURI = "mongodb://admin:password123@localhost:27017/mydb"
// Bitcoin private key
const BitcoinPrivateKey = "5KJvsngHeMpm884wtkJNzQGaCErckhHJBGFsvd3VyK5qMZXj3hS"
// Ethereum private key
const EthereumPrivateKey = "0x4c0883a69102937d6231471b5dbb6204fe512961708279f3e2e1a2e4567890abc"
// More API keys
var (
TwilioAccountSID = "AC1234567890abcdefghijklmnopqrstuv"
TwilioAuthToken = "1234567890abcdefghijklmnopqrstuv"
SendGridAPIKey = "SG.1234567890.abcdefghijklmnopqrstuvwxyz"
GitHubToken = "github_pat_11AAAAAAA_1234567890abcdefghijklmnop"
)
func main() {
// Insecure HTTP server
http.HandleFunc("/", func(w http.ResponseWriter, r *http.Request) {
userInput := r.URL.Query().Get("input")
// No input validation
fmt.Fprintf(w, "User input: %s", userInput) // Potential XSS
})
http.ListenAndServe(":8080", nil)
}
test_projects/vulnerable_app/src/database.py
+78
View File
@@ -0,0 +1,78 @@
"""
Database connection module with various security issues
"""
# Copyright (c) 2025 FuzzingLabs
#
# Licensed under the Business Source License 1.1 (BSL). See the LICENSE file
# at the root of this repository for details.
#
# After the Change Date (four years from publication), this version of the
# Licensed Work will be made available under the Apache License, Version 2.0.
# See the LICENSE-APACHE file or http://www.apache.org/licenses/LICENSE-2.0
#
# Additional attribution and requirements are provided in the NOTICE file.
import mysql.connector
import pickle
import os
# Hardcoded database credentials (will trigger secret detection)
DB_HOST = "production.database.com"
DB_USER = "admin"
DB_PASSWORD = "SuperSecretPassword123!"
API_KEY = "sk-1234567890abcdef1234567890abcdef"
AWS_ACCESS_KEY = "AKIAIOSFODNN7EXAMPLE"
AWS_SECRET_KEY = "wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY"
class DatabaseManager:
def __init__(self):
self.connection = None
def connect(self):
"""Connect to database with hardcoded credentials"""
self.connection = mysql.connector.connect(
host=DB_HOST,
user=DB_USER,
password=DB_PASSWORD,
database="production"
)
def execute_query(self, user_input):
"""Vulnerable to SQL injection - concatenating user input"""
query = "SELECT * FROM users WHERE username = '" + user_input + "'"
cursor = self.connection.cursor()
cursor.execute(query) # SQL injection vulnerability
return cursor.fetchall()
def search_products(self, search_term, category):
"""Another SQL injection vulnerability using string formatting"""
query = f"SELECT * FROM products WHERE name LIKE '%{search_term}%' AND category = '{category}'"
cursor = self.connection.cursor()
cursor.execute(query)
return cursor.fetchall()
def update_user_profile(self, user_id, data):
"""SQL injection via string interpolation"""
query = "UPDATE users SET profile = '%s' WHERE id = %s" % (data, user_id)
cursor = self.connection.cursor()
cursor.execute(query)
self.connection.commit()
def load_user_preferences(self, data):
"""Insecure deserialization vulnerability"""
user_prefs = pickle.loads(data) # Dangerous pickle deserialization
return user_prefs
def backup_database(self, backup_name):
"""Command injection vulnerability"""
os.system(f"mysqldump -u {DB_USER} -p{DB_PASSWORD} production > {backup_name}")
def get_user_by_id(self, user_id):
"""Dynamic query building - potential SQL injection"""
base_query = "SELECT * FROM users"
where_clause = " WHERE id = " + str(user_id)
final_query = base_query + where_clause
cursor = self.connection.cursor()
cursor.execute(final_query)
return cursor.fetchone()
test_projects/vulnerable_app/src/utils.rb
+64
View File
@@ -0,0 +1,64 @@
# Ruby file with security vulnerabilities
require 'yaml'
require 'json'
# Hardcoded API credentials
TWITTER_API_KEY = "1234567890abcdefghijklmnopqrstuvw"
TWITTER_API_SECRET = "abcdefghijklmnopqrstuvwxyz1234567890abcdefghijk"
FACEBOOK_APP_ID = "1234567890123456"
FACEBOOK_APP_SECRET = "abcdef1234567890abcdef1234567890"
class SecurityUtils
# Command injection vulnerability
def run_system_command(user_input)
system("echo #{user_input}") # Command injection
end
# Another command injection
def process_file(filename)
`cat #{filename}` # Command injection via backticks
end
# SQL injection in Ruby
def find_user(id)
query = "SELECT * FROM users WHERE id = #{id}" # SQL injection
ActiveRecord::Base.connection.execute(query)
end
# Dangerous eval
def evaluate_expression(expr)
eval(expr) # Code injection vulnerability
end
# YAML deserialization vulnerability
def load_config(yaml_string)
YAML.load(yaml_string) # Unsafe deserialization
end
# Mass assignment vulnerability
def update_user(params)
user = User.find(params[:id])
user.update_attributes(params) # Mass assignment
end
# File operation without validation
def read_file(path)
File.read("../../uploads/#{path}") # Path traversal
end
# Weak password hashing
def hash_password(password)
Digest::MD5.hexdigest(password) # Weak hashing algorithm
end
# Insecure random
def generate_token
rand(999999).to_s # Predictable randomness
end
end
# More credentials
DATABASE_PASSWORD = "ruby_db_password_123"
REDIS_PASSWORD = "redis_cache_password_456"
ELASTICSEARCH_API_KEY = "elastic_api_key_789xyz"