Where to find vulnerable code examples?

Where can I find brief examples of code that is vulnerable to cross site scripting, SQL injection, and others?

Disclaimer: I'm not going to use this code to do harm; we're hoping to use it as a test in part of the interview process.

Find more posts tagged with

Free for TechExams community: Cybersecurity salary guide

Compare cert salaries and plan your next career move

Button

Comments

Mooseboost

I've been messing with hack.me recently - it is a pretty good resource.

OWASP Mutillidae is another good resource as well. You can get it here: https://sourceforge.net/projects/mutillidae/

As far as actual source code goes, I don't know of anywhere to get just that. But, these two should allow someone to prove they have basic web application testing down.

NetworkNewb

Troy Hunt has a site people access to do things
https://hackyourselffirst.troyhunt.com/

He has video going over the vulnerabilities on it as well.
https://www.youtube.com/watch?v=rdHD6pVG66Q

wastedtime

I know one I heard of on the OWASP podcast a few months ago was webgoat.

JB3

https://www.owasp.org/index.php/OWASP_Vulnerable_Web_Applications_Directory_Project

ramrunner800

Metasploitable 2 has several vulnerable webapps included in it by default, including Damn Vulnerable Web App, Mutilidae, and WebGoat. The thing you'll need to look out for any of these openly available learning tools is whether or not they're freely available for commercial use. I honestly don't know, but look into it. I'd also recommend checking out the various intentionally vulnerable vm's available on VulnHub.com.

tedjames

Thanks for the information. We really just want to present a candidate with 10-20 lines of code and ask him to tell us what, if anything, is wrong with it.

Techytach

Q: [h=2]Where to find vulnerable code examples?[/h]A: Windows 10

buh dum tsssss

ITSpectre

Techytach wrote: »

Q: Where to find vulnerable code examples?

A: Windows 10

buh dum tsssss

HA!!!!

beads

(*WARNING*)

Malc0de Database

If you know what your doing this is the best place to reach REAL up to date in the wild exploit code. If you are unsure or don't know how to capture these samples, simply stay away from it for your own good. These are not samples but up to date sites and code being used in the wild.

Suggest you have your onion and other tools like PDF Stream Dumper, et. al. up and ready to capture. Script kiddies, please sit this one out.

Hunt and capture at your own risk. I take no responsibility for your own lack of skill in this area.

- b/eads

NetworkNewb

^^^ should probably go to that site in a VM if your gonna play around with it

beads

Yeah but its a treasure trove of badness just waiting at your fingertips. All you need to do is go out and capture all the compiled code, copy scripts, download PEs and viola! You've got a bricked machine!

Hence all the warnings for the pseudo-pen testers out there. This isn't Quake: "Daddy, don't hurt me" setting.

- b/eads

Cyberscum

Google dorks...easy as surfing

Cyberscum

Google Dorks List 2016 | Fresh Google Dorks 2016 for SQLi

Cyberscum wrote: »

Google dorks...easy as surfing

drunkenmaster786

Here is the Google Dorks List 2017 where you can find all SQLi and vulernable codes. some android tricks also.

https://howtechhack.com/google-dorks-list-2017/