This is a CFML web application that intentionally contains many many security vulnerabilties for training purposes. It is used in Foundeo's ColdFusion Security Training Course.
Here's a listing of some of the vulnerabilities you can find in this application:
- SQL Injection
- Cross Site Scripting (XSS)
- Path Traversals
- Remote Code Execution
- File Upload Vulnerabilities
- Insecure Password Storage
- Cross Site Request Forgery
- Insufficient Authentication/Authorization
- Timing Attacks
Please run this in a virtual machine and keep restricted to localhost so you do not compromise your computer.
Requires CF11+ or Lucee 4.5+.
cd /somewhere/
git clone https://github.com/foundeo/cfml-security-training.git .
We'll use commandbox or box for short to spin up a local CFML server. You can download it here: https://www.ortussolutions.com/products/commandbox#download, please read the commandbox installation docs for more info.
Start up a CFML server, using commandbox you can just do:
cd wwwroot
box server start cfengine=adobe@2016
The above will start up a CF2016 server on a random port number and open your default web browser to the server.
By default it is setup to use Apache Derby, which should work well for Adobe ColdFusion engines (since it is included by default). If you are using Lucee or want to use MySQL instead of Derby please follow these instructions:
-
Create a empty database called
bankofinsecurity -
Create a user account
bankofiwith passwordbankofi -
If running on Adobe ColdFusion you will need to add the MySQL database driver to your lib directory in
~/.CommandBox/server/{server-id}/adobe-{version}/WEB-INF/lib
Some of this work was inspired by the HackableType application buily by Pete Freitag & Jason Dean way back in 2010. This is an attempt to modernize and simplify.
If you are in need of CFML security training at your organization, please contact Foundeo Inc.