Intentionally vulnerable go app. Used Go's standard library,
net/http, for client/server implementations. For more info on this framework, visit net/http.
The go-test-bench application includes vulnerabilities from the OWASP Top 10 and is intended to be used as an educational tool for developers and security professionals. Any maintainers are welcome to make pull requests.
For customer demonstrations click here to follow the Demo.md readme.
-
Optional Docker for Mac
- standard library
go build -o app ./cmd/std
./appTo run with gin instead, substitute gin for std in the build command; likewise for go-swagger and julienschmidt.
View app at http://localhost:8080
# To stand up application with standard library
docker-compose up std -d
# Alternative: To stand up application with Gin framework
# docker-compose up gin -d
# To stand up application with Julienschmidt/httprouter:
# docker-compose up julienschmidt -d
# To stop app container and related service containers
docker-compose downView app at http://0.0.0.0:8080
The development team.
- code for vulnerable functions is located in
internal/- exception: vulnerable functions from a particular framework (see below)
- framework-specific code is located under
cmd/andpkg/ - html templates and css are under
views/ - vulnerability and route data is in go structs,
located in the relevant package under
internal/
Each framework is different. We've tried to separate framework logic from vulnerability logic so that adding a framework necessitates a minimum of changes to vulnerability logic, and vice versa.
Swagger is a bit unique, in that it has a lot of generated code and requires a swagger spec. To maintain a single source of truth, we generate the swagger spec from our route data. We also generate boilerplate tying a route handler to each swagger endpoint.
For details, see cmd/go-swagger/README.md