Ive removed comments from the source code of the app that directly indicate which application route refers to which vulnerability type and moved them into this seperate file to give people the opportunity try and identify vulnerabilities in the code without the additional "help".
The applications routes each have comments with numbered vulnerability listings. The associated vulnerability type for each route is listed below.
- Cookie setter/getter - Python "pickle" deserialisation vulnerability
- DNS lookup - OS command injection
- Python expression evaluation - code injection
- XML Parser - XML External Entity injection
- View application configuration settings - padding oracle
- Receive personalised greeting - Server Side Template Injection
- List products and services - SQL injection