Skip to content

oxeye-daniel/go-dvwa

 
 

Repository files navigation

Sqreen's Go Damn Vulnerable Web App

This Go web server is a vulnerable application demonstration, protected by Sqreen.

It currently includes the following vulnerabilities:

  • SQL injection: /products accepts a URL-query parameter category that is injected into the SQL query (eg. /products?category=all%27%20UNION%20SELECT%20*%20FROM%20user%27) .
  • Shell injection
  • NoSQL injection
  • Server-Side Request Forgery

The web app comes with Sqreen for Go which can be enabled by running a valid Sqreen configuration that can be obtained at https://my.sqreen.com/. Once enabled, the agent should protect the application according to the application security configuration you enabled.

Quick Start

The pre-compiled go-dvwa docker image can be used to simply run the web application. The HTTP server listens the TCP address 0.0.0.0:8080 so you can expose it with docker:

$ docker run -it -p 8080:8080 go-dvwa

The vulnerable web app starts regardless of Sqreen's agent. It will start when having a valid configuration with Sqreen credentials you can get at https://my.sqree.com/. You can pass them using container's environment variables:

$ docker run -it -p 8080:8080 -e SQREEN_TOKEN=<token> -e SQREEN_APP_NAME="Go DVWA" go-dvwa

The web app vulnerabilities should be now blocked by Sqreen :-)

Sqreen for Go

Compile from sources

With docker builder

The simplest way to build this repository is by using the latest docker builder which can take a git repository source. Simply run the following command to build the latest go-dvwa docker image of this repository:

$ docker builder build github.com/sqreen/go-dvwa.git

Once built, you can simply run the image and pass the Sqreen configuration to the container via environment variables:

$ docker run -e SQREEN_TOKEN=<token> -e SQREEN_APP_NAME="Go DVWA" -p 8080:8080 go-dvwa

The Go web application is now running and you can access it at http://127.0.0.1:8080/.

From sources

Clone the repository and use the Makefile:

$ make

Once compiled, you can execute the binary file dvwa. Sqreen's agent configuration can then be passed by file or environment variable.

$ ./dvwa

The Go web application is now running and you can access it at http://127.0.0.1:8080/.

Note that the docker image can be also built using the Makefile:

$ make image

Cf. the previous docker image instructions to read how to start the container.

About

Go Damn Vulnerable Web App

Resources

License

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published

Languages

  • CSS 35.7%
  • HTML 35.3%
  • SCSS 15.2%
  • JavaScript 12.8%
  • Go 0.7%
  • PHP 0.2%
  • Other 0.1%