mirror of https://github.com/FuzzingLabs/fuzzforge_ai.git synced 2026-02-12 20:32:46 +00:00

Files

tduhamel42 87e3262832 docs: Remove obsolete volume_mode references from documentation

The volume_mode parameter is no longer used since workflows now upload files to MinIO storage instead of mounting volumes directly. This commit removes all references to volume_mode from:

- Backend API documentation (README.md)
- Tutorial getting started guide
- MCP integration guide
- CLI AI reference documentation
- SDK documentation and examples
- Test project documentation

All curl examples and code samples have been updated to reflect the current MinIO-based file upload approach.

2025-10-16 11:36:53 +02:00

.github/workflows

Initial commit

2025-09-29 21:26:41 +02:00

config

Initial commit

2025-09-29 21:26:41 +02:00

scripts

Initial commit

2025-09-29 21:26:41 +02:00

src

Initial commit

2025-09-29 21:26:41 +02:00

app.py

CI/CD Integration with Ephemeral Deployment Model (#14 )

2025-10-14 10:13:45 +02:00

README.md

docs: Remove obsolete volume_mode references from documentation

2025-10-16 11:36:53 +02:00

requirements.txt

Initial commit

2025-09-29 21:26:41 +02:00

README.md

Vulnerable Test Application

This is a TEST PROJECT designed to trigger security findings in the FuzzForge security assessment workflow.

⚠️ WARNING: This application contains intentional security vulnerabilities for testing purposes only. DO NOT use any of this code in production!

Vulnerabilities Included

Hardcoded Secrets

Database passwords
API keys (AWS, Stripe, GitHub, etc.)
JWT secrets
Private keys (RSA, Bitcoin, Ethereum)
OAuth tokens

Code Injection

eval() usage in multiple languages
exec() and system() calls
Dynamic function creation
Template injection

SQL Injection

String concatenation in queries
String formatting in SQL
Dynamic query building
Parameterless queries

Command Injection

Unsanitized user input in system commands
Shell execution with user data
Subprocess calls with shell=True

Path Traversal

Unvalidated file paths
Directory traversal patterns
Insecure file operations

Other Vulnerabilities

XSS vulnerabilities
Insecure deserialization
Weak cryptography (MD5, weak random)
CORS misconfigurations
Debug mode enabled

Files Overview

src/ - Source code with various vulnerabilities
- database.py - Python with SQL injection and hardcoded secrets
- api_handler.py - Python with eval and command injection
- utils.rb - Ruby vulnerabilities
- Main.java - Java security issues
- app.go - Go vulnerabilities
scripts/ - Script files
- deploy.php - PHP vulnerabilities
- backup.js - JavaScript security issues
config/ - Configuration files
- settings.py - Hardcoded credentials
- database.yaml - Database passwords
.env - Environment file with secrets
private_key.pem - Private key file
wallet.json - Cryptocurrency wallets
.github/workflows/ - CI/CD with hardcoded secrets

Expected Findings

When running the security assessment workflow, you should see:

Multiple hardcoded secrets detected
SQL injection vulnerabilities
Command injection risks
Dangerous function usage
Sensitive file discoveries

Testing

To test with FuzzForge:

curl -X POST "http://localhost:8000/workflows/security_assessment/submit" \
  -H "Content-Type: application/json" \
  -d '{
    "target_path": "/path/to/test_projects/vulnerable_app",
    "parameters": {
      "scanner_config": {"check_sensitive": true},
      "analyzer_config": {"check_secrets": true, "check_sql": true}
    }
  }'

Note

This is purely for testing security scanning capabilities. All credentials and keys are fake/example values.