Home

Awesome

Go Test Bench

CI Go Report Card GoDoc License: MIT

Intentionally vulnerable go app. Used Go's standard library, net/http, for client/server implementations. For more info on this framework, visit net/http.

The go-test-bench application includes vulnerabilities from the OWASP Top 10 and is intended to be used as an educational tool for developers and security professionals. Any maintainers are welcome to make pull requests.

For customer demonstrations click here to follow the Demo.md readme.

Installation Requirements

How to Run Locally

    go build -o app ./cmd/std
    ./app

To run with gin instead, substitute gin for std in the build command; likewise for go-swagger and julienschmidt.

View app at http://localhost:8080

How to Run Using Docker

    # To stand up application with standard library
    docker-compose up std -d
    # Alternative: To stand up application with Gin framework
    # docker-compose up gin -d
    # To stand up application with Julienschmidt/httprouter:
    # docker-compose up julienschmidt -d

    # To stop app container and related service containers
    docker-compose down

View app at http://0.0.0.0:8080

Acknowledgements

The development team.

Experimenting with the code

organization

quirks

Each framework is different. We've tried to separate framework logic from vulnerability logic so that adding a framework necessitates a minimum of changes to vulnerability logic, and vice versa.

swagger

Swagger is a bit unique, in that it has a lot of generated code and requires a swagger spec. To maintain a single source of truth, we generate the swagger spec from our route data. We also generate boilerplate tying a route handler to each swagger endpoint.

For details, see cmd/go-swagger/README.md