This repo explores .NET Framework and .NET serialization vulnerabilities. This documentation also includes instructions for configuring vulnerable API test environments.
Juice Shop Vulnerabilities
Serialization Vulnerabilities
Serialization vulnerabilities and this documentation is maintained on Github at:
Vulnerable API, GraphQL, and Website hosts can be used to build an vulnerability testing environment. OWASP maintains a list of vulnerable test projects at OWASP Vulnerable Web Applications Directory.
One of the most popular and maintained externally available vulnerable sites are:
| Site | Owner |
|---|---|
| Gin and Juice Shop | PortSwigger |
| OWASP Juice Shop | OWASP |
| Hack This Site | Hack This Site staff |
WebGoat.NET
Damn Vulnerable C# Application (API)
Use these steps to install and run the Completely Ridiculous API. This surfaces the OWASP Top 10 API Security Risks.
Open an Ubuntu shell from a DOS or Powershell terminal:
wsl
Install the crAPI docker containers from an Ubuntu terminal:
curl -o docker-compose.yml https://raw.githubusercontent.com/OWASP/crAPI/main/deploy/docker/docker-compose.yml
sudo docker-compose pull
Launch the crAPI docker containers
sudo docker-compose -f docker-compose.yml --compatibility up -d
GraphQL is increasing in popularity and is in use at Facebook, Netflix, IBM, AWS, and Azure.
Open an Ubuntu shell from a DOS or Powershell terminal:
wsl
Install the Damn Vulnerable GraphQL container:
sudo docker pull dolevf/dvga
Launch the Damn Vulnerable GraphQL container:
sudo docker run -t -p 5013:5013 -e WEB_HOST=0.0.0.0 dolevf/dvga