Skip to content

A vulnerable Elixir and Phoenix application for learning web security

Notifications You must be signed in to change notification settings

mindvalley/elixir-vuln-app

 
 

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

8 Commits
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

Potion Shop

Potion Shop is an intentionally vulnerable Elixir/Phoenix application, for teaching developers about web application security. This project is vulnerable to common vulnerabilities such as XSS, CSRF, and RCE.

Potion Shop

Warning - Do not deploy this application in your production environment. Attackers can exploit Potion Shop to gain access to the underlying server, then use this access to further compromise your network.

Setup

This guide assumes you have Erlang and Elixir running locally. See Installing Elixir and Erlang With ASDF if you need help with this step.

Elixir "~> 1.13"
Phoenix "~> 1.5.15"

* Install dependencies with `mix deps.get`
* Create and migrate your database with `mix ecto.setup`
* Start Phoenix endpoint with `mix phx.server` or inside IEx with `iex -S mix phx.server`

Getting Started

If you are experienced with Elixir, Phoenix, and web security, see the self_guided.md document. It assumes the reader is familiar with vulnerabilities such as XSS, CSRF, and RCE. The methodology for finding these issues is not covered as well.

For a walkthrough of the Potion Shop application, and guidance on how to find security problems, see tutorial.md. This document provides an introduction to web application security, Elixir security tools, and exposition on the risk of each vulnerability.

For a description of where each vulnerability is located, see answers.md. It is highly recommended to avoid reading the answers when using Potion Shop for your own education. Use this document to check your own understanding, after reading tutorial.md and putting in effort to uncover each security issue.

Authors

Michael Lubas (Paraxial.io) - https://www.linkedin.com/in/michaellubas/

Jonathan Kilby - https://www.linkedin.com/in/jonathankilby1991/

Project Sponsors

Potion Shop is funded through the generous support of the Erlang Ecosystem Foundation.

Potion Shop is sponsored by Paraxial.io, an application security platform for Elixir and Phoenix.

About

A vulnerable Elixir and Phoenix application for learning web security

Resources

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published

Languages

  • Elixir 80.1%
  • HTML 10.4%
  • CSS 8.0%
  • JavaScript 1.5%