This repository contains a sample application, the "Websites Tester Service", that's vulnerable to a Command Injection vulnerability.
Warning! This application is purposely vulnerable and can trivially be hacked. Don't expose it to the Internet, and don't run it in a production environment. Instead, you can run it locally on your machine, or in a cloud environment on a private VPC.
- Build the image locally:
docker build -t vulnerable-java-application:latest . - Run:
docker run --rm -p 8000:8000 vulnerable-java-application:latest - You can then access the web application at http://127.0.0.1:8000
- Browse to http://127.0.0.1:8000/index.html
- Note how the input allows you to specify domain names such as
google.comand ping them - Note that there is some level of input validation - entering
$(whoami)returnsInvalid domain name: $(whoami) - don't try to hack us! - However, the validation is buggy - notice how you can start the input with a domain name, and execute and command in the container!
