IssueBlot.Net is a purposely vulnerable C# application, designed for benchmarking Static Application Security Testing (SAST) tools. This project is inspired by similar projects like WebGoat.NET, and it aims to provide a platform for security enthusiasts and developers to learn about and test the capabilities of various SAST tools.
While there are other vulnerable applications like OWASP Benchmark, Juiceshop, DVWA that contain a variety of vulnerabilities, IssueBlot.Net offers a unique set of challenges focused solely on C# codebase. By providing a comprehensive set of C# specific vulnerabilities, we aim to help security enthusiasts and developers test and improve the effectiveness of their SAST tools.
Use IssueBlot.Net to benchmark the effectiveness of SAST tools. Please note that this application is intentionally vulnerable and should not be deployed in any sensitive or production environment.
Here are some example vulnerabilities found in the project:
- Command Injection in
Bulk/CommandInjection1.cs: allows an attacker to execute arbitrary commands on the server through user-controlled input. - Directory Traversal in
Bulk/DirectoryTraversal1.cs: permits an attacker to access files outside the intended directory structure. - SQL Injection in
Bulk/SQLInjection1.cs: occurs when user-supplied input is not properly validated or sanitized, leading to unauthorized database queries. - Insecure Password-Based Encryption (PBE) Work Factor in
Cryptography/InsecurePBEWorkFactor1.cs: weakens the encryption strength by using an inadequate work factor for password-based encryption. - Deserialization Vulnerability using BinaryFormatter in
Deserialization/BinaryFormatterDS.cs: arises when untrusted data is deserialized, potentially leading to remote code execution or other attacks.
- Command Injection in
Controllers/CodeInjectionController.cs: allows an attacker to execute arbitrary commands on the server through user-controlled input. - SQL Injection in
Controllers/SQLInjController.cs: occurs when user-supplied input is not properly validated or sanitized, leading to unauthorized database queries. - Server-Side Request Forgery (SSRF) in
Controllers/SSRFController.cs: enables an attacker to make unauthorized requests to internal network resources.
- Basic Authentication Vulnerability in
Authentication/BasicAuthentication1.cs: allows authentication credentials to be transmitted without proper encryption or protection. - Insecure Cryptographic Practices in
Cryptography/CustomSSLValidation1.cs: arises from insecure usage of cryptographic functions, weakening the overall security. - Deserialization Vulnerability using FastJson in
Deserialization/FastJsonDeserialization.cs: occurs when untrusted data is deserialized using the FastJson library, potentially leading to remote code execution or other attacks. - Code Injection in
Injection/CodeInjection.cs: allows an attacker to inject and execute arbitrary code within the application context. - XML External Entity (XXE) Injection in
Other/XXE1.cs: allows the parsing of XML input with external entities, leading to potential data disclosure or denial-of-service attacks.
- Client-Side Code Injection in
ClientSideCodeInj.aspx.cs: enables an attacker to inject and execute arbitrary code on the client-side. - Insecure File Upload in
HttpFileCase.aspx.cs: allows an attacker to upload malicious files, potentially leading to remote code execution or unauthorized access. - Parameter Overloading in
ParameterOverloading.aspx.cs: occurs when multiple methods with the same name but different parameter lists are defined, potentially leading to confusion or unexpected behavior.
Please note that this project may have additional vulnerabilities beyond the ones listed here. The purpose of this benchmark project is to demonstrate and raise awareness about common web application vulnerabilities.
The benchmark project "Issublot" utilizes several popular web application frameworks for development. These frameworks provide a foundation for building robust and scalable web applications. The frameworks used in this project include:
- ASP.NET Core MVC:
- ASP.NET Web Forms
- ASP.NET Web API
- WCF (Windows Communication Foundation)
We welcome contributions to IssueBlot.Net. If you have found a bug, want to suggest a feature, or want to propose a vulnerability scenario, please open an issue.
For code contributions, please fork the repository, make your changes, and submit a pull request.
IssueBlot.Net is intentionally vulnerable for educational purposes. We disclaim any liability for misuse of this software.
For any questions or discussions, please open an issue on this repository, and we'll get back to you as soon as possible.