Initial commit

test_projects/vulnerable_app/src/Main.java

@@ -0,0 +1,78 @@
+import java.sql.*;
+import java.io.*;
+import java.util.*;
+
+public class Main {
+    // Hardcoded database credentials
+    private static final String DB_URL = "jdbc:mysql://localhost:3306/production";
+    private static final String DB_USER = "admin";
+    private static final String DB_PASSWORD = "JavaDBPassword123!";
+
+    // API Keys
+    private static final String API_KEY = "sk-proj-1234567890abcdefghijklmnopqrstuvwxyz";
+    private static final String SECRET_TOKEN = "secret_token_abcdef1234567890";
+    private static final String AWS_ACCESS = "AKIAIOSFODNN7EXAMPLE";
+    private static final String AWS_SECRET = "wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY";
+
+    public class VulnerableApp {
+
+        // SQL Injection vulnerability
+        public void getUserById(String userId) throws SQLException {
+            Connection conn = DriverManager.getConnection(DB_URL, DB_USER, DB_PASSWORD);
+            Statement stmt = conn.createStatement();
+            String query = "SELECT * FROM users WHERE id = " + userId; // SQL injection
+            ResultSet rs = stmt.executeQuery(query);
+        }
+
+        // Another SQL injection with string concatenation
+        public void searchProducts(String searchTerm) throws SQLException {
+            String query = "SELECT * FROM products WHERE name LIKE '%" + searchTerm + "%'";
+            // Vulnerable to SQL injection
+        }
+
+        // Command injection vulnerability
+        public void executeCommand(String filename) throws IOException {
+            Runtime.getRuntime().exec("cat " + filename); // Command injection
+        }
+
+        // Path traversal vulnerability
+        public void readFile(String filename) throws IOException {
+            File file = new File("/var/www/uploads/" + filename); // Path traversal
+            FileInputStream fis = new FileInputStream(file);
+        }
+
+        // XXE vulnerability
+        public void parseXML(String xmlInput) {
+            // XML parsing without disabling external entities
+            DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance();
+            // Vulnerable to XXE attacks
+        }
+
+        // Insecure deserialization
+        public Object deserialize(byte[] data) throws Exception {
+            ByteArrayInputStream bis = new ByteArrayInputStream(data);
+            ObjectInputStream ois = new ObjectInputStream(bis);
+            return ois.readObject(); // Insecure deserialization
+        }
+
+        // Weak cryptography
+        public String hashPassword(String password) {
+            MessageDigest md = MessageDigest.getInstance("MD5"); // Weak hashing
+            return new String(md.digest(password.getBytes()));
+        }
+
+        // Hardcoded encryption key
+        private static final String ENCRYPTION_KEY = "MySecretEncryptionKey123";
+
+        // LDAP injection
+        public void authenticateUser(String username, String password) {
+            String filter = "(uid=" + username + ")"; // LDAP injection
+            // Vulnerable LDAP query
+        }
+    }
+
+    // More hardcoded secrets
+    private static final String STRIPE_KEY = "sk_live_4eC39HqLyjWDarjtT1zdp7dc";
+    private static final String GITHUB_TOKEN = "ghp_1234567890abcdefghijklmnopqrstuvwxyz";
+    private static final String PRIVATE_KEY = "-----BEGIN RSA PRIVATE KEY-----\nMIIEpAIBAAKCAQ...";
+}

test_projects/vulnerable_app/src/api_handler.py

@@ -0,0 +1,71 @@
+"""
+API handler with various security vulnerabilities
+"""
+
+# Copyright (c) 2025 FuzzingLabs
+#
+# Licensed under the Business Source License 1.1 (BSL). See the LICENSE file
+# at the root of this repository for details.
+#
+# After the Change Date (four years from publication), this version of the
+# Licensed Work will be made available under the Apache License, Version 2.0.
+# See the LICENSE-APACHE file or http://www.apache.org/licenses/LICENSE-2.0
+#
+# Additional attribution and requirements are provided in the NOTICE file.
+
+import os
+import subprocess
+import jwt
+
+# More hardcoded secrets
+SECRET_TOKEN = "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c"
+PRIVATE_KEY = """-----BEGIN RSA PRIVATE KEY-----
+MIIEpAIBAAKCAQEA0Z7VS5JJ...fake...private...key
+-----END RSA PRIVATE KEY-----"""
+STRIPE_API_KEY = "sk_live_4eC39HqLyjWDarjtT1zdp7dc"
+
+class APIHandler:
+    def __init__(self):
+        self.token = SECRET_TOKEN
+
+    def process_user_input(self, user_data):
+        """Dangerous eval usage - code injection"""
+        # This is extremely dangerous!
+        result = eval(user_data)  # Code injection vulnerability
+        return result
+
+    def execute_command(self, command):
+        """Command injection via subprocess with shell=True"""
+        result = subprocess.call(command, shell=True)  # Command injection risk
+        return result
+
+    def run_system_command(self, filename):
+        """Another command injection vulnerability"""
+        os.system("cat " + filename)  # Command injection
+
+    def process_template(self, template_string, data):
+        """Template injection vulnerability"""
+        compiled = compile(template_string, '<string>', 'exec')
+        exec(compiled, data)  # Code execution vulnerability
+        return data
+
+    def generate_dynamic_function(self, code):
+        """Dynamic function creation - code injection"""
+        func = eval(f"lambda x: {code}")  # Dangerous eval
+        return func
+
+    def authenticate_user(self, token):
+        """JWT token in code"""
+        decoded = jwt.decode(token, SECRET_TOKEN, algorithms=["HS256"])
+        return decoded
+
+    def get_file_contents(self, filepath):
+        """Path traversal vulnerability"""
+        # No validation of filepath - could access any file
+        with open(filepath, 'r') as f:
+            return f.read()
+
+    def log_user_action(self, user_input):
+        """Log injection vulnerability"""
+        log_message = f"User action: {user_input}"
+        os.system(f"echo '{log_message}' >> /var/log/app.log")  # Command injection via logs

test_projects/vulnerable_app/src/app.go

@@ -0,0 +1,80 @@
+package main
+
+import (
+    "database/sql"
+    "fmt"
+    "os/exec"
+    "net/http"
+)
+
+// Hardcoded credentials and secrets
+const (
+    DBPassword = "GoDBPassword123!"
+    APIKey = "api_key_golang_1234567890abcdefghij"
+    JWTSecret = "super_secret_jwt_key_golang"
+    AWSAccessKey = "AKIAIOSFODNN7EXAMPLE"
+    AWSSecretKey = "wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY"
+    StripeAPIKey = "sk_test_4eC39HqLyjWDarjtT1zdp7dc"
+    SlackWebhook = "https://hooks.slack.com/services/T00000000/B00000000/XXXXXXXXXXXXXXXXXXXX"
+)
+
+// Private keys
+var privateKey = `-----BEGIN RSA PRIVATE KEY-----
+MIIEowIBAAKCAQEA4f5wg5l2iFFGH3FakeKeyForTesting1234567890
+-----END RSA PRIVATE KEY-----`
+
+type App struct {
+    db *sql.DB
+}
+
+// SQL Injection vulnerability
+func (a *App) GetUser(userID string) {
+    query := fmt.Sprintf("SELECT * FROM users WHERE id = %s", userID) // SQL injection
+    rows, _ := a.db.Query(query)
+    defer rows.Close()
+}
+
+// Another SQL injection
+func (a *App) SearchProducts(search string) {
+    query := "SELECT * FROM products WHERE name LIKE '%" + search + "%'" // SQL injection
+    a.db.Query(query)
+}
+
+// Command injection
+func ExecuteCommand(input string) {
+    cmd := exec.Command("sh", "-c", "echo "+input) // Command injection
+    cmd.Run()
+}
+
+// Path traversal
+func ReadFile(filename string) {
+    path := "/var/www/uploads/" + filename // Path traversal vulnerability
+    // Read file without validation
+}
+
+// Hardcoded MongoDB connection string
+const MongoDBURI = "mongodb://admin:password123@localhost:27017/mydb"
+
+// Bitcoin private key
+const BitcoinPrivateKey = "5KJvsngHeMpm884wtkJNzQGaCErckhHJBGFsvd3VyK5qMZXj3hS"
+
+// Ethereum private key
+const EthereumPrivateKey = "0x4c0883a69102937d6231471b5dbb6204fe512961708279f3e2e1a2e4567890abc"
+
+// More API keys
+var (
+    TwilioAccountSID = "AC1234567890abcdefghijklmnopqrstuv"
+    TwilioAuthToken = "1234567890abcdefghijklmnopqrstuv"
+    SendGridAPIKey = "SG.1234567890.abcdefghijklmnopqrstuvwxyz"
+    GitHubToken = "github_pat_11AAAAAAA_1234567890abcdefghijklmnop"
+)
+
+func main() {
+    // Insecure HTTP server
+    http.HandleFunc("/", func(w http.ResponseWriter, r *http.Request) {
+        userInput := r.URL.Query().Get("input")
+        // No input validation
+        fmt.Fprintf(w, "User input: %s", userInput) // Potential XSS
+    })
+    http.ListenAndServe(":8080", nil)
+}

test_projects/vulnerable_app/src/database.py

@@ -0,0 +1,78 @@
+"""
+Database connection module with various security issues
+"""
+
+# Copyright (c) 2025 FuzzingLabs
+#
+# Licensed under the Business Source License 1.1 (BSL). See the LICENSE file
+# at the root of this repository for details.
+#
+# After the Change Date (four years from publication), this version of the
+# Licensed Work will be made available under the Apache License, Version 2.0.
+# See the LICENSE-APACHE file or http://www.apache.org/licenses/LICENSE-2.0
+#
+# Additional attribution and requirements are provided in the NOTICE file.
+
+import mysql.connector
+import pickle
+import os
+
+# Hardcoded database credentials (will trigger secret detection)
+DB_HOST = "production.database.com"
+DB_USER = "admin"
+DB_PASSWORD = "SuperSecretPassword123!"
+API_KEY = "sk-1234567890abcdef1234567890abcdef"
+AWS_ACCESS_KEY = "AKIAIOSFODNN7EXAMPLE"
+AWS_SECRET_KEY = "wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY"
+
+class DatabaseManager:
+    def __init__(self):
+        self.connection = None
+
+    def connect(self):
+        """Connect to database with hardcoded credentials"""
+        self.connection = mysql.connector.connect(
+            host=DB_HOST,
+            user=DB_USER,
+            password=DB_PASSWORD,
+            database="production"
+        )
+
+    def execute_query(self, user_input):
+        """Vulnerable to SQL injection - concatenating user input"""
+        query = "SELECT * FROM users WHERE username = '" + user_input + "'"
+        cursor = self.connection.cursor()
+        cursor.execute(query)  # SQL injection vulnerability
+        return cursor.fetchall()
+
+    def search_products(self, search_term, category):
+        """Another SQL injection vulnerability using string formatting"""
+        query = f"SELECT * FROM products WHERE name LIKE '%{search_term}%' AND category = '{category}'"
+        cursor = self.connection.cursor()
+        cursor.execute(query)
+        return cursor.fetchall()
+
+    def update_user_profile(self, user_id, data):
+        """SQL injection via string interpolation"""
+        query = "UPDATE users SET profile = '%s' WHERE id = %s" % (data, user_id)
+        cursor = self.connection.cursor()
+        cursor.execute(query)
+        self.connection.commit()
+
+    def load_user_preferences(self, data):
+        """Insecure deserialization vulnerability"""
+        user_prefs = pickle.loads(data)  # Dangerous pickle deserialization
+        return user_prefs
+
+    def backup_database(self, backup_name):
+        """Command injection vulnerability"""
+        os.system(f"mysqldump -u {DB_USER} -p{DB_PASSWORD} production > {backup_name}")
+
+    def get_user_by_id(self, user_id):
+        """Dynamic query building - potential SQL injection"""
+        base_query = "SELECT * FROM users"
+        where_clause = " WHERE id = " + str(user_id)
+        final_query = base_query + where_clause
+        cursor = self.connection.cursor()
+        cursor.execute(final_query)
+        return cursor.fetchone()

test_projects/vulnerable_app/src/utils.rb

@@ -0,0 +1,64 @@
+# Ruby file with security vulnerabilities
+
+require 'yaml'
+require 'json'
+
+# Hardcoded API credentials
+TWITTER_API_KEY = "1234567890abcdefghijklmnopqrstuvw"
+TWITTER_API_SECRET = "abcdefghijklmnopqrstuvwxyz1234567890abcdefghijk"
+FACEBOOK_APP_ID = "1234567890123456"
+FACEBOOK_APP_SECRET = "abcdef1234567890abcdef1234567890"
+
+class SecurityUtils
+  # Command injection vulnerability
+  def run_system_command(user_input)
+    system("echo #{user_input}")  # Command injection
+  end
+
+  # Another command injection
+  def process_file(filename)
+    `cat #{filename}`  # Command injection via backticks
+  end
+
+  # SQL injection in Ruby
+  def find_user(id)
+    query = "SELECT * FROM users WHERE id = #{id}"  # SQL injection
+    ActiveRecord::Base.connection.execute(query)
+  end
+
+  # Dangerous eval
+  def evaluate_expression(expr)
+    eval(expr)  # Code injection vulnerability
+  end
+
+  # YAML deserialization vulnerability
+  def load_config(yaml_string)
+    YAML.load(yaml_string)  # Unsafe deserialization
+  end
+
+  # Mass assignment vulnerability
+  def update_user(params)
+    user = User.find(params[:id])
+    user.update_attributes(params)  # Mass assignment
+  end
+
+  # File operation without validation
+  def read_file(path)
+    File.read("../../uploads/#{path}")  # Path traversal
+  end
+
+  # Weak password hashing
+  def hash_password(password)
+    Digest::MD5.hexdigest(password)  # Weak hashing algorithm
+  end
+
+  # Insecure random
+  def generate_token
+    rand(999999).to_s  # Predictable randomness
+  end
+end
+
+# More credentials
+DATABASE_PASSWORD = "ruby_db_password_123"
+REDIS_PASSWORD = "redis_cache_password_456"
+ELASTICSEARCH_API_KEY = "elastic_api_key_789xyz"